Loading ...

Play interactive tourEdit tour

Analysis Report Order Requirement 893.exe

Overview

General Information

Sample Name:Order Requirement 893.exe
Analysis ID:395722
MD5:94d0f17a6ccc191912e09efdbe611f5e
SHA1:347d4231e88ac6fe82a8e701d0b16cfac652c92c
SHA256:e3532fb1c9e0c23e6e0b556425bceb08953c97883aacfb347789a3d8dd80099d
Tags:DarkCometexeRAT
Infos:

Most interesting Screenshot:

Detection

DarkComet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected DarkComet
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses process hollowing technique
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Order Requirement 893.exe (PID: 6764 cmdline: 'C:\Users\user\Desktop\Order Requirement 893.exe' MD5: 94D0F17A6CCC191912E09EFDBE611F5E)
    • vbc.exe (PID: 1088 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: DarkComet

{"PWD": "Password20$", "MUTEX": "DC_MUTEX-L1TFBNC", "SID": "April 2021", "FWB": "0", "NETDATA": ["bonding79.ddns.net:3316", "goodgt79.ddns.net:3316", "whatis79.ddns.net:3316", "smath79.ddns.net:3316", "jacknop79.ddns.net:3316", "chrisle79.ddns.net:3316"], "GENCODE": "PvcfTTVpBSKd", "OFFLINEK": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.913141561.0000000002451000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0xf80:$k2: #KCMDDC51#-890
00000005.00000002.913132933.000000000244A000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0x928:$c: DC_MUTEX-
00000005.00000002.913029997.00000000023F8000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0xcd8:$a: #BEGIN DARKCOMET DATA --
  • 0xf98:$a: #BEGIN DARKCOMET DATA --
  • 0xdf7:$b: #EOF DARKCOMET DATA --
  • 0x10b7:$b: #EOF DARKCOMET DATA --
  • 0xd0c:$c: DC_MUTEX-
  • 0xfcc:$c: DC_MUTEX-
00000005.00000002.912362038.0000000000400000.00000040.00000001.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0x7dd24:$x1: UnActiveOfflineKeylogger
  • 0x84e2c:$x2: BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
  • 0x7dc88:$x3: ActiveOnlineKeylogger
  • 0x7e534:$x6: BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
  • 0x7e3c5:$s2: Command successfully executed!|
  • 0x65d98:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
  • 0x72e28:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!
  • 0x73ae4:$s5: \Internet Explorer\iexplore.exe
  • 0x7d510:$s6: ping 127.0.0.1 -n 4 > NUL && "
  • 0x65f84:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
  • 0x83830:$s8: POST /index.php/1.0
00000005.00000002.912362038.0000000000400000.00000040.00000001.sdmpRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
  • 0x7e4ac:$a1: #BOT#URLUpdate
  • 0x7e3c5:$a2: Command successfully executed!
  • 0x1408:$b1: FastMM Borland Edition
  • 0x2bf4c:$b2: %s, ClassID: %s
  • 0x72e28:$b3: I wasn't able to open the hosts file
  • 0x7e2b0:$b4: #BOT#VisitUrl
  • 0x6d1c0:$b5: #KCMDDC
Click to see the 27 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
5.2.vbc.exe.400000.0.raw.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0x7dd24:$x1: UnActiveOfflineKeylogger
  • 0x84e2c:$x2: BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
  • 0x7dc88:$x3: ActiveOnlineKeylogger
  • 0x7e534:$x6: BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
  • 0x7e3c5:$s2: Command successfully executed!|
  • 0x65d98:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
  • 0x72e28:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!
  • 0x73ae4:$s5: \Internet Explorer\iexplore.exe
  • 0x7d510:$s6: ping 127.0.0.1 -n 4 > NUL && "
  • 0x65f84:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
  • 0x83830:$s8: POST /index.php/1.0
5.2.vbc.exe.400000.0.raw.unpackRAT_DarkCometDetects DarkComet RATKevin Breen <kevin@techanarchy.net>
  • 0x7e4ac:$a1: #BOT#URLUpdate
  • 0x7e3c5:$a2: Command successfully executed!
  • 0x1408:$b1: FastMM Borland Edition
  • 0x2bf4c:$b2: %s, ClassID: %s
  • 0x72e28:$b3: I wasn't able to open the hosts file
  • 0x7e2b0:$b4: #BOT#VisitUrl
  • 0x6d1c0:$b5: #KCMDDC
5.2.vbc.exe.400000.0.raw.unpackJoeSecurity_DarkCometRatYara detected DarkCometKevin Breen <kevin@techanarchy.net>
    5.2.vbc.exe.400000.0.raw.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      5.2.vbc.exe.400000.0.raw.unpackDarkComet_1DarkComet RATbotherder https://github.com/botherder
      • 0x7e2c8:$bot1: #BOT#OpenUrl
      • 0x7e344:$bot2: #BOT#Ping
      • 0x7e38c:$bot3: #BOT#RunPrompt
      • 0x7e44c:$bot4: #BOT#SvrUninstall
      • 0x7e594:$bot5: #BOT#URLDownload
      • 0x7e4ac:$bot6: #BOT#URLUpdate
      • 0x7e2b0:$bot7: #BOT#VisitUrl
      • 0x7e3f0:$bot8: #BOT#CloseServer
      • 0x7e638:$ddos1: DDOSHTTPFLOOD
      • 0x7e650:$ddos2: DDOSSYNFLOOD
      • 0x7e668:$ddos3: DDOSUDPFLOOD
      • 0x7dc88:$keylogger1: ActiveOnlineKeylogger
      • 0x7dcaa:$keylogger1: ActiveOnlineKeylogger
      • 0x7dca8:$keylogger2: UnActiveOnlineKeylogger
      • 0x7dd04:$keylogger3: ActiveOfflineKeylogger
      • 0x7dd26:$keylogger3: ActiveOfflineKeylogger
      • 0x7dd24:$keylogger4: UnActiveOfflineKeylogger
      • 0x7e930:$shell1: ACTIVEREMOTESHELL
      • 0x7e95c:$shell2: SUBMREMOTESHELL
      • 0x7e974:$shell3: KILLREMOTESHELL
      Click to see the 10 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 5.2.vbc.exe.400000.0.unpackMalware Configuration Extractor: DarkComet {"PWD": "Password20$", "MUTEX": "DC_MUTEX-L1TFBNC", "SID": "April 2021", "FWB": "0", "NETDATA": ["bonding79.ddns.net:3316", "goodgt79.ddns.net:3316", "whatis79.ddns.net:3316", "smath79.ddns.net:3316", "jacknop79.ddns.net:3316", "chrisle79.ddns.net:3316"], "GENCODE": "PvcfTTVpBSKd", "OFFLINEK": "1"}
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\ye5MuI5NRbzmJH25\1mUT2u8YWVey.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Order Requirement 893.exeJoe Sandbox ML: detected
      Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: BDS/DarkKomet.GS
      Source: 0.0.Order Requirement 893.exe.a20000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
      Source: Order Requirement 893.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\Order Requirement 893.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: Binary string: mscorrc.pdb source: Order Requirement 893.exe, 00000000.00000002.929178854.000000000AAE0000.00000002.00000001.sdmp

      Networking:

      barindex
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: whatis79.ddns.net
      Source: unknownDNS query: name: bonding79.ddns.net
      Source: unknownDNS query: name: jacknop79.ddns.net
      Source: unknownDNS query: name: smath79.ddns.net
      Source: unknownDNS query: name: goodgt79.ddns.net
      Source: unknownDNS query: name: chrisle79.ddns.net
      Source: global trafficTCP traffic: 192.168.2.4:49726 -> 199.195.253.181:3316
      Source: Joe Sandbox ViewIP Address: 199.195.253.181 199.195.253.181
      Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
      Source: unknownDNS traffic detected: queries for: bonding79.ddns.net
      Source: Order Requirement 893.exe, 00000000.00000003.650939655.00000000077DF000.00000004.00000001.sdmp, Order Requirement 893.exe, 00000000.00000003.651199762.00000000077E0000.00000004.00000001.sdmpString found in binary or memory: http://en.w
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Order Requirement 893.exe, 00000000.00000003.661139689.00000000077FD000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.w
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Order Requirement 893.exe, 00000000.00000003.653438106.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html%
      Source: Order Requirement 893.exe, 00000000.00000003.653683840.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html~
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCe
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comand
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-ul
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com~
      Source: Order Requirement 893.exe, 00000000.00000003.654944987.00000000077D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Order Requirement 893.exe, 00000000.00000003.654809286.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com$
      Source: Order Requirement 893.exe, 00000000.00000003.654944987.00000000077D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmp, Order Requirement 893.exe, 00000000.00000003.660959404.00000000077DA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Order Requirement 893.exe, 00000000.00000003.654809286.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Order Requirement 893.exe, 00000000.00000003.655679851.00000000077D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Order Requirement 893.exe, 00000000.00000003.655679851.00000000077D4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Order Requirement 893.exe, 00000000.00000003.655054117.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
      Source: Order Requirement 893.exe, 00000000.00000003.655348554.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: Order Requirement 893.exe, 00000000.00000003.657294983.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comL.TTFj
      Source: Order Requirement 893.exe, 00000000.00000003.658049815.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comV
      Source: Order Requirement 893.exe, 00000000.00000003.662611182.00000000077D8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: Order Requirement 893.exe, 00000000.00000003.658049815.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
      Source: Order Requirement 893.exe, 00000000.00000003.657294983.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
      Source: Order Requirement 893.exe, 00000000.00000003.655186091.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom/
      Source: Order Requirement 893.exe, 00000000.00000003.658049815.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
      Source: Order Requirement 893.exe, 00000000.00000003.657294983.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd$
      Source: Order Requirement 893.exe, 00000000.00000003.655054117.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiv
      Source: Order Requirement 893.exe, 00000000.00000003.662611182.00000000077D8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicto
      Source: Order Requirement 893.exe, 00000000.00000003.655186091.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitudEoV
      Source: Order Requirement 893.exe, 00000000.00000003.654809286.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiva
      Source: Order Requirement 893.exe, 00000000.00000003.657294983.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicq
      Source: Order Requirement 893.exe, 00000000.00000003.655348554.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
      Source: Order Requirement 893.exe, 00000000.00000003.662611182.00000000077D8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueva
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmp, Order Requirement 893.exe, 00000000.00000003.650384414.0000000007805000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Order Requirement 893.exe, 00000000.00000003.650350977.0000000007805000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX&
      Source: Order Requirement 893.exe, 00000000.00000003.650350977.0000000007805000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comf#
      Source: Order Requirement 893.exe, 00000000.00000003.651240376.00000000077E1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Order Requirement 893.exe, 00000000.00000003.651240376.00000000077E1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn~
      Source: Order Requirement 893.exe, 00000000.00000003.658839428.00000000077D8000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Order Requirement 893.exe, 00000000.00000003.658839428.00000000077D8000.00000004.00000001.sdmp, Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Order Requirement 893.exe, 00000000.00000003.654311076.00000000077DB000.00000004.00000001.sdmp, Order Requirement 893.exe, 00000000.00000003.653271588.00000000077D9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Order Requirement 893.exe, 00000000.00000003.652817518.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
      Source: Order Requirement 893.exe, 00000000.00000003.652817518.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-uj
      Source: Order Requirement 893.exe, 00000000.00000003.652956461.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: Order Requirement 893.exe, 00000000.00000003.653683840.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/EoV
      Source: Order Requirement 893.exe, 00000000.00000003.652956461.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
      Source: Order Requirement 893.exe, 00000000.00000003.652956461.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
      Source: Order Requirement 893.exe, 00000000.00000003.652661120.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es
      Source: Order Requirement 893.exe, 00000000.00000003.652956461.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
      Source: Order Requirement 893.exe, 00000000.00000003.653683840.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: Order Requirement 893.exe, 00000000.00000003.653683840.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/$
      Source: Order Requirement 893.exe, 00000000.00000003.652956461.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2
      Source: Order Requirement 893.exe, 00000000.00000003.653271588.00000000077D9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
      Source: Order Requirement 893.exe, 00000000.00000003.653271588.00000000077D9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/V
      Source: Order Requirement 893.exe, 00000000.00000003.652956461.00000000077D3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/e
      Source: Order Requirement 893.exe, 00000000.00000003.653271588.00000000077D9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Order Requirement 893.exe, 00000000.00000003.653438106.00000000077DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
      Source: Order Requirement 893.exe, 00000000.00000003.652203093.00000000077DF000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Order Requirement 893.exe, 00000000.00000003.657294983.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: Order Requirement 893.exe, 00000000.00000003.656976317.00000000077DC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deC
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Order Requirement 893.exe, 00000000.00000002.919444347.00000000078C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeJump to behavior
      Source: Yara matchFile source: 00000000.00000002.916865423.0000000005400000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.917528778.000000000667E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.912447148.000000000049D000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Order Requirement 893.exe PID: 6764, type: MEMORY
      Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000005.00000002.913141561.0000000002451000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
      Source: 00000005.00000002.913132933.000000000244A000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
      Source: 00000005.00000002.913029997.00000000023F8000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
      Source: 00000005.00000002.912362038.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.912362038.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
      Source: 00000005.00000002.912362038.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.912362038.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 Author: unknown
      Source: 00000000.00000002.917528778.000000000667E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.917528778.000000000667E000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
      Source: 00000000.00000002.917528778.000000000667E000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.917528778.000000000667E000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 Author: unknown
      Source: 00000000.00000003.686622968.0000000006798000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000003.686622968.0000000006798000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
      Source: 00000000.00000003.686622968.0000000006798000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000003.686622968.0000000006798000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 Author: unknown
      Source: Process Memory Space: vbc.exe PID: 1088, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
      Source: Process Memory Space: Order Requirement 893.exe PID: 6764, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Order Requirement 893.exe PID: 6764, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
      Source: Process Memory Space: Order Requirement 893.exe PID: 6764, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Order Requirement 893.exe PID: 6764, type: MEMORYMatched rule: DarkComet_4 Author: unknown
      Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
      Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: DarkComet_4 Author: unknown
      Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
      Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: DarkComet_4 Author: unknown
      Yara detected DarkCometShow sources
      Source: Yara matchFile source: 00000005.00000002.912362038.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.917528778.000000000667E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.686622968.0000000006798000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Order Requirement 893.exe PID: 6764, type: MEMORY
      Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Order Requirement 893.exe
      PE file contains section with special charsShow sources
      Source: Order Requirement 893.exeStatic PE information: section name:
      Source: Order Requirement 893.exeStatic PE information: section name: .idata
      Source: 1mUT2u8YWVey.exe.0.drStatic PE information: section name:
      Source: 1mUT2u8YWVey.exe.0.drStatic PE information: section name: .idata
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA40B80_2_00BA40B8
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B4F0BD0_2_00B4F0BD
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B720BE0_2_00B720BE
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B0F0BC0_2_00B0F0BC
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BCB0AD0_2_00BCB0AD
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C0C0D20_2_00C0C0D2
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B280A10_2_00B280A1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C190D90_2_00C190D9
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE10A10_2_00BE10A1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C0E0DF0_2_00C0E0DF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B8D09A0_2_00B8D09A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA30980_2_00BA3098
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B990910_2_00B99091
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BF70960_2_00BF7096
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BFF0910_2_00BFF091
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF50800_2_00AF5080
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B160800_2_00B16080
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C220F00_2_00C220F0
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B3D0F00_2_00B3D0F0
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B860FD0_2_00B860FD
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B580F20_2_00B580F2
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C3B08A0_2_00C3B08A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B060FD0_2_00B060FD
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C3409E0_2_00C3409E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF10F10_2_00AF10F1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B4D0EA0_2_00B4D0EA
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD30E30_2_00BD30E3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE90E10_2_00BE90E1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B730D50_2_00B730D5
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC80DA0_2_00BC80DA
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC70D70_2_00BC70D7
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C0A0AE0_2_00C0A0AE
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BCE0C90_2_00BCE0C9
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF202E0_2_00AF202E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B8E0310_2_00B8E031
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B9A0340_2_00B9A034
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B5203A0_2_00B5203A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE20310_2_00BE2031
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BFB02C0_2_00BFB02C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B460220_2_00B46022
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C020580_2_00C02058
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B2602B0_2_00B2602B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C3905D0_2_00C3905D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE60210_2_00BE6021
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC901D0_2_00BC901D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B5A0160_2_00B5A016
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B120120_2_00B12012
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C050640_2_00C05064
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B7B0100_2_00B7B010
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BAD0130_2_00BAD013
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AFD0050_2_00AFD005
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B6901C0_2_00B6901C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AFC0030_2_00AFC003
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B3301F0_2_00B3301F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BDE0100_2_00BDE010
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B9200C0_2_00B9200C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B200040_2_00B20004
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD700B0_2_00BD700B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C4107C0_2_00C4107C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD00030_2_00BD0003
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B550700_2_00B55070
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B410730_2_00B41073
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AEE0610_2_00AEE061
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B250620_2_00B25062
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD90690_2_00BD9069
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B960630_2_00B96063
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B350680_2_00B35068
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B4706B0_2_00B4706B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE405D0_2_00BE405D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B0005B0_2_00B0005B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC20510_2_00BC2051
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB904A0_2_00BB904A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C3D03B0_2_00C3D03B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB40410_2_00BB4041
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B5B04E0_2_00B5B04E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB10440_2_00BB1044
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C2703D0_2_00C2703D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B0E1B10_2_00B0E1B1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD91B50_2_00BD91B5
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF21A50_2_00AF21A5
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE31B00_2_00BE31B0
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BAB1AE0_2_00BAB1AE
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C151E30_2_00C151E3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B5D1930_2_00B5D193
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B821930_2_00B82193
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B2319F0_2_00B2319F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AEF1900_2_00AEF190
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB51FA0_2_00BB51FA
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B671F40_2_00B671F4
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB61FC0_2_00BB61FC
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B0B1FB0_2_00B0B1FB
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B571F80_2_00B571F8
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B941E90_2_00B941E9
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B531E00_2_00B531E0
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B511E30_2_00B511E3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BAE1E30_2_00BAE1E3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B101EB0_2_00B101EB
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B491EF0_2_00B491EF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B3C1EC0_2_00B3C1EC
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B1D1D60_2_00B1D1D6
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF01C30_2_00AF01C3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BF81D30_2_00BF81D3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C071500_2_00C07150
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B5F1280_2_00B5F128
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA81170_2_00BA8117
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE01060_2_00BE0106
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BBD1020_2_00BBD102
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B471770_2_00B47177
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B6A1710_2_00B6A171
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BFB1770_2_00BFB177
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B3017A0_2_00B3017A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B771690_2_00B77169
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B9515B0_2_00B9515B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C2F1240_2_00C2F124
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB01510_2_00BB0151
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C5312E0_2_00C5312E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BEC1500_2_00BEC150
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B141490_2_00B14149
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA61430_2_00BA6143
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B1B14D0_2_00B1B14D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C3213D0_2_00C3213D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AEE2AF0_2_00AEE2AF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B122B40_2_00B122B4
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B502B30_2_00B502B3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C162C60_2_00C162C6
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BBF2B00_2_00BBF2B0
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B112A10_2_00B112A1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BF42AB0_2_00BF42AB
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BF92AB0_2_00BF92AB
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B2A2A50_2_00B2A2A5
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BDE2A50_2_00BDE2A5
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C062DD0_2_00C062DD
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B452AA0_2_00B452AA
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B7A2950_2_00B7A295
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B2929F0_2_00B2929F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B9B2970_2_00B9B297
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C372F10_2_00C372F1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BAD2890_2_00BAD289
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BAC28C0_2_00BAC28C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BF32890_2_00BF3289
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BCD2810_2_00BCD281
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B082F10_2_00B082F1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B7B2F60_2_00B7B2F6
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C0B2860_2_00C0B286
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF82E80_2_00AF82E8
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C312890_2_00C31289
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC12EC0_2_00BC12EC
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB22E70_2_00BB22E7
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BED2E30_2_00BED2E3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C302A40_2_00C302A4
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BBA2D20_2_00BBA2D2
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C332AF0_2_00C332AF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B142DF0_2_00B142DF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B2C2C10_2_00B2C2C1
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA523A0_2_00BA523A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B582370_2_00B58237
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C402420_2_00C40242
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B312380_2_00B31238
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BBE2180_2_00BBE218
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B892130_2_00B89213
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C2D26C0_2_00C2D26C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BDA20C0_2_00BDA20C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B8720A0_2_00B8720A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BFC2060_2_00BFC206
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B0520F0_2_00B0520F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B8A2700_2_00B8A270
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B7927E0_2_00B7927E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C2A20B0_2_00C2A20B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA92700_2_00BA9270
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B3227F0_2_00B3227F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AFB2620_2_00AFB262
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BDC2690_2_00BDC269
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B9F26E0_2_00B9F26E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B4A24E0_2_00B4A24E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA02410_2_00BA0241
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B943BD0_2_00B943BD
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C1B3C70_2_00C1B3C7
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE03B50_2_00BE03B5
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B833B50_2_00B833B5
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B213BD0_2_00B213BD
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD73AE0_2_00BD73AE
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C3C3D90_2_00C3C3D9
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B563950_2_00B56395
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B663930_2_00B66393
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C473E90_2_00C473E9
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C143F30_2_00C143F3
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B923810_2_00B92381
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC03850_2_00BC0385
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B0138C0_2_00B0138C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BAF3860_2_00BAF386
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B0C38D0_2_00B0C38D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BF63800_2_00BF6380
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD43F90_2_00BD43F9
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B993F70_2_00B993F7
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B433FB0_2_00B433FB
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB93EF0_2_00BB93EF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B063EF0_2_00B063EF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD03DA0_2_00BD03DA
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B963C90_2_00B963C9
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC93CA0_2_00BC93CA
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B973CE0_2_00B973CE
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B543CF0_2_00B543CF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C2C3420_2_00C2C342
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE533F0_2_00BE533F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BC533F0_2_00BC533F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B393370_2_00B39337
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B6833C0_2_00B6833C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BFD3310_2_00BFD331
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B753380_2_00B75338
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BF53300_2_00BF5330
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B983180_2_00B98318
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B2E31E0_2_00B2E31E
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C0E36D0_2_00C0E36D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B763190_2_00B76319
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B703020_2_00B70302
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B7F30D0_2_00B7F30D
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B6D30A0_2_00B6D30A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B1530C0_2_00B1530C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C183010_2_00C18301
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B7137B0_2_00B7137B
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF33620_2_00AF3362
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BE635C0_2_00BE635C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C293210_2_00C29321
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B9C35F0_2_00B9C35F
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00C3B32A0_2_00C3B32A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B363580_2_00B36358
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B813550_2_00B81355
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BB834C0_2_00BB834C
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BD134A0_2_00BD134A
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF73520_2_00AF7352
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00BA73440_2_00BA7344
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00AF44AF0_2_00AF44AF
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B624B20_2_00B624B2
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B894BC0_2_00B894BC
      Source: C:\Users\user\Desktop\Order Requirement 893.exeCode function: 0_2_00B134B60_2_00B134B6
      Source: C:\Users\user\Desktop\Order Requirement 893.exe