Analysis Report order.exe

Overview

General Information

Sample Name:	order.exe
Analysis ID:	320634
MD5:	27d7951ec430f93458370a00272d823d
SHA1:	195eef585ef2307027df1ff05678ea2be23ae25e
SHA256:	306d4c4068a82c3c744c534054536b99a0887d71f194a0dcb689bfea9fd0e0f3
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: order.exe	Virustotal: Detection: 22%			Perma Link
Source: order.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: pilatescollective.com

Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000002.520398234.0000000006870000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: order.exe, 0000000C.00000002.415980723.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://pilatescollective.com/meantunde/komyydor_NMWgNRCNBM31.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: order.exe, 00000000.00000002.347850855.00000000006BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: order.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\order.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288E45 NtProtectVirtualMemory,	0_2_02288E45
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280ABA NtWriteVirtualMemory,TerminateProcess,	0_2_02280ABA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286E81 NtWriteVirtualMemory,	0_2_02286E81
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287738 NtSetInformationThread,	0_2_02287738
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280769 EnumWindows,NtSetInformationThread,	0_2_02280769
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280C12 NtWriteVirtualMemory,TerminateProcess,	0_2_02280C12
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022885C3 NtSetInformationThread,	0_2_022885C3
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283A2A NtWriteVirtualMemory,	0_2_02283A2A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283E16 NtWriteVirtualMemory,	0_2_02283E16
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283A77 NtWriteVirtualMemory,	0_2_02283A77
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02285243 NtWriteVirtualMemory,	0_2_02285243
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283A8D NtWriteVirtualMemory,	0_2_02283A8D
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283EF2 NtWriteVirtualMemory,	0_2_02283EF2
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283ADB NtWriteVirtualMemory,	0_2_02283ADB
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283F22 NtWriteVirtualMemory,	0_2_02283F22
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02289332 NtProtectVirtualMemory,	0_2_02289332
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283B1A NtWriteVirtualMemory,	0_2_02283B1A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283F62 NtWriteVirtualMemory,	0_2_02283F62
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283B7E NtWriteVirtualMemory,	0_2_02283B7E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022837A9 NtWriteVirtualMemory,	0_2_022837A9
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02285796 NtWriteVirtualMemory,	0_2_02285796
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022837E7 NtWriteVirtualMemory,	0_2_022837E7
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287BC8 NtSetInformationThread,	0_2_02287BC8
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283BD9 NtWriteVirtualMemory,	0_2_02283BD9
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280873 NtSetInformationThread,	0_2_02280873
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228384E NtWriteVirtualMemory,	0_2_0228384E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283C4E NtWriteVirtualMemory,	0_2_02283C4E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280856 NtSetInformationThread,	0_2_02280856
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022838AA NtWriteVirtualMemory,	0_2_022838AA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022838FA NtWriteVirtualMemory,	0_2_022838FA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283CCA NtWriteVirtualMemory,	0_2_02283CCA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022808C3 NtSetInformationThread,	0_2_022808C3
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228091B NtSetInformationThread,	0_2_0228091B
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283D17 NtWriteVirtualMemory,	0_2_02283D17
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280960 NtSetInformationThread,	0_2_02280960
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228097A NtSetInformationThread,	0_2_0228097A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283D5F NtWriteVirtualMemory,	0_2_02283D5F
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022839A4 NtWriteVirtualMemory,	0_2_022839A4
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022839F6 NtWriteVirtualMemory,	0_2_022839F6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_1E3E9660
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_1E3E96E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	12_2_1E3E9710
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_1E3E97A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	12_2_1E3E9780
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9540 NtReadFile,LdrInitializeThunk,	12_2_1E3E9540
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E95D0 NtClose,LdrInitializeThunk,	12_2_1E3E95D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	12_2_1E3E9A20
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	12_2_1E3E9A00
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	12_2_1E3E9A50
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_1E3E9860
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	12_2_1E3E9840
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	12_2_1E3E98F0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_1E3E9910
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	12_2_1E3E99A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9610 NtEnumerateValueKey,	12_2_1E3E9610
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9670 NtQueryInformationProcess,	12_2_1E3E9670
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9650 NtQueryValueKey,	12_2_1E3E9650
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E96D0 NtCreateKey,	12_2_1E3E96D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9730 NtQueryVirtualMemory,	12_2_1E3E9730
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EA710 NtOpenProcessToken,	12_2_1E3EA710
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EA770 NtOpenThread,	12_2_1E3EA770
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9770 NtSetInformationFile,	12_2_1E3E9770
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9760 NtOpenProcess,	12_2_1E3E9760
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9FE0 NtCreateMutant,	12_2_1E3E9FE0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EAD30 NtSetContextThread,	12_2_1E3EAD30
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9520 NtWaitForSingleObject,	12_2_1E3E9520
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9560 NtWriteFile,	12_2_1E3E9560
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E95F0 NtQueryInformationFile,	12_2_1E3E95F0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A10 NtQuerySection,	12_2_1E3E9A10
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A80 NtOpenDirectoryObject,	12_2_1E3E9A80
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9B00 NtSetValueKey,	12_2_1E3E9B00
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EA3B0 NtGetContextThread,	12_2_1E3EA3B0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9820 NtEnumerateKey,	12_2_1E3E9820
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EB040 NtSuspendThread,	12_2_1E3EB040
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E98A0 NtWriteVirtualMemory,	12_2_1E3E98A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9950 NtQueueApcThread,	12_2_1E3E9950
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E99D0 NtCreateProcessEx,	12_2_1E3E99D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056940A NtSetInformationThread,	12_2_0056940A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00564532 Sleep,NtProtectVirtualMemory,	12_2_00564532
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005685C3 LdrInitializeThunk,NtSetInformationThread,LdrInitializeThunk,	12_2_005685C3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00568E45 NtProtectVirtualMemory,	12_2_00568E45
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00563249 CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	12_2_00563249
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005646B4 LdrInitializeThunk,NtProtectVirtualMemory,	12_2_005646B4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560ABA NtProtectVirtualMemory,LdrInitializeThunk,	12_2_00560ABA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560769 EnumWindows,LdrInitializeThunk,NtSetInformationThread,	12_2_00560769
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056330B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	12_2_0056330B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00567738 LdrInitializeThunk,NtSetInformationThread,	12_2_00567738
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560856 LdrInitializeThunk,NtSetInformationThread,	12_2_00560856
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569446 NtSetInformationThread,	12_2_00569446
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560873 LdrInitializeThunk,NtSetInformationThread,	12_2_00560873
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056947E NtSetInformationThread,	12_2_0056947E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569862 NtSetInformationThread,	12_2_00569862
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569410 NtSetInformationThread,	12_2_00569410
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056143E NtProtectVirtualMemory,	12_2_0056143E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056983A NtSetInformationThread,	12_2_0056983A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005698D4 NtSetInformationThread,	12_2_005698D4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005608C3 LdrInitializeThunk,NtSetInformationThread,	12_2_005608C3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005694F3 NtSetInformationThread,	12_2_005694F3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005694B6 NtSetInformationThread,	12_2_005694B6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005614A6 NtProtectVirtualMemory,	12_2_005614A6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005698A3 NtSetInformationThread,	12_2_005698A3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569972 NtSetInformationThread,	12_2_00569972
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056097A LdrInitializeThunk,NtSetInformationThread,	12_2_0056097A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560960 LdrInitializeThunk,NtSetInformationThread,	12_2_00560960
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056956E NtSetInformationThread,	12_2_0056956E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056091B LdrInitializeThunk,NtSetInformationThread,	12_2_0056091B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056990A NtSetInformationThread,	12_2_0056990A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569932 NtSetInformationThread,	12_2_00569932
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005645D1 NtProtectVirtualMemory,	12_2_005645D1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005695CE NtSetInformationThread,	12_2_005695CE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005699F0 NtSetInformationThread,	12_2_005699F0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005699A6 NtSetInformationThread,	12_2_005699A6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569670 NtSetInformationThread,	12_2_00569670
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056467E LdrInitializeThunk,NtProtectVirtualMemory,	12_2_0056467E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056467A LdrInitializeThunk,NtProtectVirtualMemory,	12_2_0056467A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056461F NtProtectVirtualMemory,	12_2_0056461F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569603 NtSetInformationThread,	12_2_00569603
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569A22 NtSetInformationThread,	12_2_00569A22
Source: C:\Windows\explorer.exe	Code function: 16_2_06D04A32 NtCreateFile,	16_2_06D04A32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139540 NtReadFile,LdrInitializeThunk,	19_2_05139540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051395D0 NtClose,LdrInitializeThunk,	19_2_051395D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139710 NtQueryInformationToken,LdrInitializeThunk,	19_2_05139710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139780 NtMapViewOfSection,LdrInitializeThunk,	19_2_05139780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139FE0 NtCreateMutant,LdrInitializeThunk,	19_2_05139FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139650 NtQueryValueKey,LdrInitializeThunk,	19_2_05139650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_05139660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051396D0 NtCreateKey,LdrInitializeThunk,	19_2_051396D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051396E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_051396E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_05139910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051399A0 NtCreateSection,LdrInitializeThunk,	19_2_051399A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139840 NtDelayExecution,LdrInitializeThunk,	19_2_05139840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_05139860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A50 NtCreateFile,LdrInitializeThunk,	19_2_05139A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513AD30 NtSetContextThread,	19_2_0513AD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139520 NtWaitForSingleObject,	19_2_05139520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139560 NtWriteFile,	19_2_05139560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051395F0 NtQueryInformationFile,	19_2_051395F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513A710 NtOpenProcessToken,	19_2_0513A710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139730 NtQueryVirtualMemory,	19_2_05139730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513A770 NtOpenThread,	19_2_0513A770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139770 NtSetInformationFile,	19_2_05139770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139760 NtOpenProcess,	19_2_05139760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051397A0 NtUnmapViewOfSection,	19_2_051397A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139610 NtEnumerateValueKey,	19_2_05139610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139670 NtQueryInformationProcess,	19_2_05139670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139950 NtQueueApcThread,	19_2_05139950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051399D0 NtCreateProcessEx,	19_2_051399D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139820 NtEnumerateKey,	19_2_05139820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513B040 NtSuspendThread,	19_2_0513B040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051398A0 NtWriteVirtualMemory,	19_2_051398A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051398F0 NtReadVirtualMemory,	19_2_051398F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139B00 NtSetValueKey,	19_2_05139B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513A3B0 NtGetContextThread,	19_2_0513A3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A10 NtQuerySection,	19_2_05139A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A00 NtProtectVirtualMemory,	19_2_05139A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A20 NtResumeThread,	19_2_05139A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A80 NtOpenDirectoryObject,	19_2_05139A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9D40 NtCreateFile,	19_2_007B9D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9DF0 NtReadFile,	19_2_007B9DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9E70 NtClose,	19_2_007B9E70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9F20 NtAllocateVirtualMemory,	19_2_007B9F20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9D3B NtCreateFile,	19_2_007B9D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9DEA NtReadFile,	19_2_007B9DEA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9F1A NtAllocateVirtualMemory,	19_2_007B9F1A

Detected potential crypto function

Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C6E30	12_2_1E3C6E30
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46D616	12_2_1E46D616
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E472EF7	12_2_1E472EF7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47DFCE	12_2_1E47DFCE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E471FF1	12_2_1E471FF1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46D466	12_2_1E46D466
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B841F	12_2_1E3B841F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E471D55	12_2_1E471D55
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A0D20	12_2_1E3A0D20
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E472D07	12_2_1E472D07
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4725DD	12_2_1E4725DD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BD5E0	12_2_1E3BD5E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45FA2B	12_2_1E45FA2B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4722AE	12_2_1E4722AE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E472B28	12_2_1E472B28
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAB40	12_2_1E3CAB40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DEBB0	12_2_1E3DEBB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46DBD2	12_2_1E46DBD2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4603DA	12_2_1E4603DA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461002	12_2_1E461002
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47E824	12_2_1E47E824
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB090	12_2_1E3BB090
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4728EC	12_2_1E4728EC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4720A8	12_2_1E4720A8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AF900	12_2_1E3AF900
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00081069	12_2_00081069
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00089862	12_2_00089862
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00081072	12_2_00081072
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00082CEC	12_2_00082CEC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00082CF2	12_2_00082CF2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00088132	12_2_00088132
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0008AA32	12_2_0008AA32
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00085B1F	12_2_00085B1F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00085B22	12_2_00085B22
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BE89C	12_2_000BE89C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BD8B1	12_2_000BD8B1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BE1F1	12_2_000BE1F1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A2D8A	12_2_000A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A2D90	12_2_000A2D90
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A9E40	12_2_000A9E40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCF83	12_2_000BCF83
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A2FB0	12_2_000A2FB0
Source: C:\Windows\explorer.exe	Code function: 16_2_06D04A32	16_2_06D04A32
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFCCEC	16_2_06CFCCEC
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFCCF2	16_2_06CFCCF2
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFB069	16_2_06CFB069
Source: C:\Windows\explorer.exe	Code function: 16_2_06D03862	16_2_06D03862
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFB072	16_2_06CFB072
Source: C:\Windows\explorer.exe	Code function: 16_2_06D07A6F	16_2_06D07A6F
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFFB1F	16_2_06CFFB1F
Source: C:\Windows\explorer.exe	Code function: 16_2_06D07B0E	16_2_06D07B0E
Source: C:\Windows\explorer.exe	Code function: 16_2_06D02132	16_2_06D02132
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFFB22	16_2_06CFFB22
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C2D07	19_2_051C2D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F0D20	19_2_050F0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C1D55	19_2_051C1D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C25DD	19_2_051C25DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510D5E0	19_2_0510D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510841F	19_2_0510841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BD466	19_2_051BD466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051CDFCE	19_2_051CDFCE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C1FF1	19_2_051C1FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BD616	19_2_051BD616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05116E30	19_2_05116E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C2EF7	19_2_051C2EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FF900	19_2_050FF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1002	19_2_051B1002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511A830	19_2_0511A830
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051CE824	19_2_051CE824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510B090	19_2_0510B090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051220A0	19_2_051220A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C20A8	19_2_051C20A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C28EC	19_2_051C28EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C2B28	19_2_051C2B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AB40	19_2_0511AB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512EBB0	19_2_0512EBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B03DA	19_2_051B03DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BDBD2	19_2_051BDBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051AFA2B	19_2_051AFA2B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C22AE	19_2_051C22AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BD8B1	19_2_007BD8B1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BE89C	19_2_007BE89C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BE1F1	19_2_007BE1F1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A2D90	19_2_007A2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A2D8A	19_2_007A2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A9E40	19_2_007A9E40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A2FB0	19_2_007A2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCF83	19_2_007BCF83

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 050FB150 appears 72 times
Source: C:\Users\user\Desktop\order.exe	Code function: String function: 1E3AB150 appears 54 times

PE file contains strange resources

Source: order.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: order.exe, 00000000.00000002.347334794.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
Source: order.exe, 00000000.00000002.348138525.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs order.exe
Source: order.exe, 0000000C.00000002.420922926.000000001DDA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs order.exe
Source: order.exe, 0000000C.00000002.420991234.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs order.exe
Source: order.exe, 0000000C.00000000.346370402.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
Source: order.exe, 0000000C.00000002.421651645.000000001E49F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs order.exe
Source: order.exe, 0000000C.00000002.415954016.00000000000D6000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs order.exe
Source: order.exe	Binary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe

Yara signature match

Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@7/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_01

Source: order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\order.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\order.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: order.exe	Virustotal: Detection: 22%
Source: order.exe	ReversingLabs: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
Source: unknown	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order.exe	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'	Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source:	Binary string: chkdsk.pdbGCTL source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: order.exe, 0000000C.00000002.421351071.000000001E380000.00000040.00000001.sdmp, chkdsk.exe, 00000013.00000002.507166731.00000000050D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: order.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: order.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: order.exe PID: 6008, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: order.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: order.exe PID: 6008, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_00412675 push eax; ret	0_2_004126B4
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287249 push FFFFFFB9h; retf	0_2_022872AB
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022872BF push FFFFFFB9h; retf	0_2_022872AB
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022872BF push FFFFFFB9h; retf	0_2_022872CA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022892B0 push dword ptr [edx]; ret	0_2_022892B7
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286FAE push FFFFFFB9h; retf	0_2_02286FB9
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286FCD push FFFFFFB9h; retf	0_2_02286FD8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3FD0D1 push ecx; ret	12_2_1E3FD0E4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0008E3E6 pushad ; ret	12_2_0008E3E7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B60A4 push esp; ret	12_2_000B60A8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B79B8 push es; retf	12_2_000B79BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B7AD6 push edi; iretd	12_2_000B7AD7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B63D0 push ecx; iretd	12_2_000B63D2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCE95 push eax; ret	12_2_000BCEE8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCEEB push eax; ret	12_2_000BCF52
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCEE2 push eax; ret	12_2_000BCEE8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCF4C push eax; ret	12_2_000BCF52
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00567249 push FFFFFFB9h; retf	12_2_005672AB
Source: C:\Windows\explorer.exe	Code function: 16_2_06D083E6 pushad ; ret	16_2_06D083E7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0514D0D1 push ecx; ret	19_2_0514D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B60A4 push esp; ret	19_2_007B60A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B79B8 push es; retf	19_2_007B79BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B7AD6 push edi; iretd	19_2_007B7AD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B63D0 push ecx; iretd	19_2_007B63D2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCEEB push eax; ret	19_2_007BCF52
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCEE2 push eax; ret	19_2_007BCEE8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCE95 push eax; ret	19_2_007BCEE8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCF4C push eax; ret	19_2_007BCF52

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED

Source: C:\Users\user\Desktop\order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\order.exe

RDTSC instruction interceptor: First address: 0000000002287CB9 second address: 0000000002287CB9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1FCF53148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov bx, 04F4h 0x00000024 cmp bx, 04F4h 0x00000029 jne 00007FA1FCF4BD76h 0x0000002f popad 0x00000030 jmp 00007FA1FCF5316Ah 0x00000032 cmp bx, bx 0x00000035 cmp dh, ah 0x00000037 add edi, edx 0x00000039 dec dword ptr [ebp+000000F8h] 0x0000003f cmp dl, bl 0x00000041 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000048 jne 00007FA1FCF530E7h 0x0000004a test dl, al 0x0000004c nop 0x0000004d call 00007FA1FCF531DDh 0x00000052 call 00007FA1FCF5315Ah 0x00000057 lfence 0x0000005a mov edx, dword ptr [7FFE0014h] 0x00000060 lfence 0x00000063 ret 0x00000064 mov esi, edx 0x00000066 pushad 0x00000067 rdtsc

Tries to detect Any.run

Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: order.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002287CB9 second address: 0000000002287CB9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1FCF53148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov bx, 04F4h 0x00000024 cmp bx, 04F4h 0x00000029 jne 00007FA1FCF4BD76h 0x0000002f popad 0x00000030 jmp 00007FA1FCF5316Ah 0x00000032 cmp bx, bx 0x00000035 cmp dh, ah 0x00000037 add edi, edx 0x00000039 dec dword ptr [ebp+000000F8h] 0x0000003f cmp dl, bl 0x00000041 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000048 jne 00007FA1FCF530E7h 0x0000004a test dl, al 0x0000004c nop 0x0000004d call 00007FA1FCF531DDh 0x00000052 call 00007FA1FCF5315Ah 0x00000057 lfence 0x0000005a mov edx, dword ptr [7FFE0014h] 0x00000060 lfence 0x00000063 ret 0x00000064 mov esi, edx 0x00000066 pushad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002287CDB second address: 0000000002287CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCD29D0Ch 0x0000001f popad 0x00000020 call 00007FA1FCD29718h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000000567CDB second address: 0000000000567CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCF538ACh 0x0000001f popad 0x00000020 call 00007FA1FCF532B8h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000000567689 second address: 0000000000567689 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr [ebp+64h] 0x00000006 test ch, bh 0x00000008 mov bx, word ptr [edx+00010040h] 0x0000000f cmp al, 0Bh 0x00000011 mov ax, word ptr [eax] 0x00000014 xor ax, cx 0x00000017 xor bx, ax 0x0000001a cmp esi, 54674AF8h 0x00000020 cmp bx, 5A4Dh 0x00000025 je 00007FA1FCD295D4h 0x00000027 jmp 00007FA1FCD295C6h 0x00000029 test ch, FFFFFFA5h 0x0000002c inc cx 0x0000002e jmp 00007FA1FCD29548h 0x00000030 pushad 0x00000031 mov edx, 000000D4h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000007A98E4 second address: 00000000007A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000007A9B5E second address: 00000000007A9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02287738 rdtsc

0_2_02287738

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\order.exe TID: 5184

Thread sleep count: 186 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000010.00000000.391821194.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000002.520456319.00000000068B8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWe_%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000000.396640200.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000010.00000000.376117915.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: order.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\order.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02287738 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,02280914,00000000,00000000,00000000,00000000,?

0_2_02287738

Hides threads from debuggers

Source: C:\Users\user\Desktop\order.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\order.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02287738 rdtsc

0_2_02287738

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02284CF3 LdrInitializeThunk,

0_2_02284CF3

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286E81 mov eax, dword ptr fs:[00000030h]	0_2_02286E81
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022885C3 mov eax, dword ptr fs:[00000030h]	0_2_022885C3
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288633 mov eax, dword ptr fs:[00000030h]	0_2_02288633
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288603 mov eax, dword ptr fs:[00000030h]	0_2_02288603
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228865F mov eax, dword ptr fs:[00000030h]	0_2_0228865F
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228868A mov eax, dword ptr fs:[00000030h]	0_2_0228868A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286E83 mov eax, dword ptr fs:[00000030h]	0_2_02286E83
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022886CA mov eax, dword ptr fs:[00000030h]	0_2_022886CA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288323 mov eax, dword ptr fs:[00000030h]	0_2_02288323
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022843B0 mov eax, dword ptr fs:[00000030h]	0_2_022843B0
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283067 mov eax, dword ptr fs:[00000030h]	0_2_02283067
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287879 mov eax, dword ptr fs:[00000030h]	0_2_02287879
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02282CED mov eax, dword ptr fs:[00000030h]	0_2_02282CED
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022830CA mov eax, dword ptr fs:[00000030h]	0_2_022830CA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228252E mov eax, dword ptr fs:[00000030h]	0_2_0228252E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02282D18 mov eax, dword ptr fs:[00000030h]	0_2_02282D18
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022885C8 mov eax, dword ptr fs:[00000030h]	0_2_022885C8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	12_2_1E46AE44
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	12_2_1E46AE44
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	12_2_1E3AE620
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	12_2_1E3DA61C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	12_2_1E3DA61C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC600
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC600
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC600
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	12_2_1E3D8E00
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461608 mov eax, dword ptr fs:[00000030h]	12_2_1E461608
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B766D mov eax, dword ptr fs:[00000030h]	12_2_1E3B766D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	12_2_1E45FE3F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	12_2_1E45FEC0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	12_2_1E478ED6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	12_2_1E43FE87
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3B76E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	12_2_1E3D16E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	12_2_1E470EA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	12_2_1E470EA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	12_2_1E470EA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	12_2_1E4246A7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	12_2_1E3D36CC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	12_2_1E3E8EC7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	12_2_1E3DE730
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	12_2_1E3A4F2E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	12_2_1E3A4F2E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	12_2_1E3CF716
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478F6A mov eax, dword ptr fs:[00000030h]	12_2_1E478F6A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	12_2_1E3DA70E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	12_2_1E3DA70E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]	12_2_1E47070D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]	12_2_1E47070D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	12_2_1E43FF10
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	12_2_1E43FF10
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	12_2_1E3BFF60
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	12_2_1E3BEF40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	12_2_1E3B8794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	12_2_1E3E37F5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]	12_2_1E427794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]	12_2_1E427794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]	12_2_1E427794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	12_2_1E3DBC2C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]	12_2_1E43C450
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]	12_2_1E43C450
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]	12_2_1E47740D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]	12_2_1E47740D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]	12_2_1E47740D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C746D mov eax, dword ptr fs:[00000030h]	12_2_1E3C746D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	12_2_1E3DA44B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	12_2_1E478CD6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B849B mov eax, dword ptr fs:[00000030h]	12_2_1E3B849B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	12_2_1E426CF0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	12_2_1E426CF0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	12_2_1E426CF0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4614FB mov eax, dword ptr fs:[00000030h]	12_2_1E4614FB
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E423540 mov eax, dword ptr fs:[00000030h]	12_2_1E423540
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E453D40 mov eax, dword ptr fs:[00000030h]	12_2_1E453D40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	12_2_1E3D4D3B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	12_2_1E3D4D3B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	12_2_1E3D4D3B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	12_2_1E3AAD30
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	12_2_1E3CC577
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	12_2_1E3CC577
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	12_2_1E3C7D50
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478D34 mov eax, dword ptr fs:[00000030h]	12_2_1E478D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E42A537 mov eax, dword ptr fs:[00000030h]	12_2_1E42A537
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	12_2_1E3E3D43
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46E539 mov eax, dword ptr fs:[00000030h]	12_2_1E46E539
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_1E3D1DB5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_1E3D1DB5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_1E3D1DB5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	12_2_1E3D35A1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	12_2_1E3DFD9B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	12_2_1E3DFD9B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	12_2_1E458DF1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BD5E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BD5E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4705AC mov eax, dword ptr fs:[00000030h]	12_2_1E4705AC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4705AC mov eax, dword ptr fs:[00000030h]	12_2_1E4705AC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	12_2_1E3E4A2C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	12_2_1E3E4A2C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46EA55 mov eax, dword ptr fs:[00000030h]	12_2_1E46EA55
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E434257 mov eax, dword ptr fs:[00000030h]	12_2_1E434257
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	12_2_1E3C3A1C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45B260 mov eax, dword ptr fs:[00000030h]	12_2_1E45B260
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45B260 mov eax, dword ptr fs:[00000030h]	12_2_1E45B260
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478A62 mov eax, dword ptr fs:[00000030h]	12_2_1E478A62
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	12_2_1E3AAA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	12_2_1E3AAA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	12_2_1E3B8A0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E927A mov eax, dword ptr fs:[00000030h]	12_2_1E3E927A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	12_2_1E46AA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	12_2_1E46AA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BAAB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BAAB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	12_2_1E3DFAB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	12_2_1E3DD294
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	12_2_1E3DD294
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2AE4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	12_2_1E3D2ACB
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478B58 mov eax, dword ptr fs:[00000030h]	12_2_1E478B58
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	12_2_1E3D3B7A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	12_2_1E3D3B7A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	12_2_1E3ADB60
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46131B mov eax, dword ptr fs:[00000030h]	12_2_1E46131B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	12_2_1E3AF358
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	12_2_1E3ADB40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4253CA mov eax, dword ptr fs:[00000030h]	12_2_1E4253CA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4253CA mov eax, dword ptr fs:[00000030h]	12_2_1E4253CA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	12_2_1E3D4BAD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	12_2_1E3D4BAD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	12_2_1E3D4BAD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2397
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	12_2_1E3DB390
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	12_2_1E3B1B8F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	12_2_1E3B1B8F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	12_2_1E45D380
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46138A mov eax, dword ptr fs:[00000030h]	12_2_1E46138A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	12_2_1E3CDBE9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	12_2_1E475BA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E471074 mov eax, dword ptr fs:[00000030h]	12_2_1E471074
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E462073 mov eax, dword ptr fs:[00000030h]	12_2_1E462073
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E474015 mov eax, dword ptr fs:[00000030h]	12_2_1E474015
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E474015 mov eax, dword ptr fs:[00000030h]	12_2_1E474015
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]	12_2_1E427016
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]	12_2_1E427016
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]	12_2_1E427016
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	12_2_1E3C0050
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	12_2_1E3C0050
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	12_2_1E3DF0BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	12_2_1E3DF0BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	12_2_1E3DF0BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	12_2_1E3E90AF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9080
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E423884 mov eax, dword ptr fs:[00000030h]	12_2_1E423884
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E423884 mov eax, dword ptr fs:[00000030h]	12_2_1E423884
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	12_2_1E3A58EC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3A40E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3A40E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3A40E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D513A mov eax, dword ptr fs:[00000030h]	12_2_1E3D513A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D513A mov eax, dword ptr fs:[00000030h]	12_2_1E3D513A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9100
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9100
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9100
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB171
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB171
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC962
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	12_2_1E3CB944
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	12_2_1E3CB944
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D61A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D61A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	12_2_1E4341E8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2990
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	12_2_1E3DA185
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	12_2_1E3CC182
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB1E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB1E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB1E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	12_2_1E4269A6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005630CA mov eax, dword ptr fs:[00000030h]	12_2_005630CA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005685C3 mov eax, dword ptr fs:[00000030h]	12_2_005685C3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00567879 mov eax, dword ptr fs:[00000030h]	12_2_00567879
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00562CED mov eax, dword ptr fs:[00000030h]	12_2_00562CED
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056252E mov eax, dword ptr fs:[00000030h]	12_2_0056252E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005685C8 mov eax, dword ptr fs:[00000030h]	12_2_005685C8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056865F mov eax, dword ptr fs:[00000030h]	12_2_0056865F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00568603 mov eax, dword ptr fs:[00000030h]	12_2_00568603
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00568633 mov eax, dword ptr fs:[00000030h]	12_2_00568633
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0517A537 mov eax, dword ptr fs:[00000030h]	19_2_0517A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BE539 mov eax, dword ptr fs:[00000030h]	19_2_051BE539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8D34 mov eax, dword ptr fs:[00000030h]	19_2_051C8D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]	19_2_05124D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]	19_2_05124D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]	19_2_05124D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FAD30 mov eax, dword ptr fs:[00000030h]	19_2_050FAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05117D50 mov eax, dword ptr fs:[00000030h]	19_2_05117D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05133D43 mov eax, dword ptr fs:[00000030h]	19_2_05133D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05173540 mov eax, dword ptr fs:[00000030h]	19_2_05173540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051A3D40 mov eax, dword ptr fs:[00000030h]	19_2_051A3D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511C577 mov eax, dword ptr fs:[00000030h]	19_2_0511C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511C577 mov eax, dword ptr fs:[00000030h]	19_2_0511C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512FD9B mov eax, dword ptr fs:[00000030h]	19_2_0512FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512FD9B mov eax, dword ptr fs:[00000030h]	19_2_0512FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]	19_2_05121DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]	19_2_05121DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]	19_2_05121DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C05AC mov eax, dword ptr fs:[00000030h]	19_2_051C05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C05AC mov eax, dword ptr fs:[00000030h]	19_2_051C05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051235A1 mov eax, dword ptr fs:[00000030h]	19_2_051235A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov ecx, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051A8DF1 mov eax, dword ptr fs:[00000030h]	19_2_051A8DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0510D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0510D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]	19_2_051C740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]	19_2_051C740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]	19_2_051C740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512BC2C mov eax, dword ptr fs:[00000030h]	19_2_0512BC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518C450 mov eax, dword ptr fs:[00000030h]	19_2_0518C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518C450 mov eax, dword ptr fs:[00000030h]	19_2_0518C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A44B mov eax, dword ptr fs:[00000030h]	19_2_0512A44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511746D mov eax, dword ptr fs:[00000030h]	19_2_0511746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510849B mov eax, dword ptr fs:[00000030h]	19_2_0510849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8CD6 mov eax, dword ptr fs:[00000030h]	19_2_051C8CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B14FB mov eax, dword ptr fs:[00000030h]	19_2_051B14FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]	19_2_05176CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]	19_2_05176CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]	19_2_05176CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511F716 mov eax, dword ptr fs:[00000030h]	19_2_0511F716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518FF10 mov eax, dword ptr fs:[00000030h]	19_2_0518FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518FF10 mov eax, dword ptr fs:[00000030h]	19_2_0518FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C070D mov eax, dword ptr fs:[00000030h]	19_2_051C070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C070D mov eax, dword ptr fs:[00000030h]	19_2_051C070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A70E mov eax, dword ptr fs:[00000030h]	19_2_0512A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A70E mov eax, dword ptr fs:[00000030h]	19_2_0512A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F4F2E mov eax, dword ptr fs:[00000030h]	19_2_050F4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F4F2E mov eax, dword ptr fs:[00000030h]	19_2_050F4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512E730 mov eax, dword ptr fs:[00000030h]	19_2_0512E730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B73D mov eax, dword ptr fs:[00000030h]	19_2_0511B73D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B73D mov eax, dword ptr fs:[00000030h]	19_2_0511B73D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510EF40 mov eax, dword ptr fs:[00000030h]	19_2_0510EF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510FF60 mov eax, dword ptr fs:[00000030h]	19_2_0510FF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8F6A mov eax, dword ptr fs:[00000030h]	19_2_051C8F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]	19_2_05177794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]	19_2_05177794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]	19_2_05177794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05108794 mov eax, dword ptr fs:[00000030h]	19_2_05108794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051337F5 mov eax, dword ptr fs:[00000030h]	19_2_051337F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A61C mov eax, dword ptr fs:[00000030h]	19_2_0512A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A61C mov eax, dword ptr fs:[00000030h]	19_2_0512A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]	19_2_050FC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]	19_2_050FC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]	19_2_050FC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05128E00 mov eax, dword ptr fs:[00000030h]	19_2_05128E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1608 mov eax, dword ptr fs:[00000030h]	19_2_051B1608
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051AFE3F mov eax, dword ptr fs:[00000030h]	19_2_051AFE3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FE620 mov eax, dword ptr fs:[00000030h]	19_2_050FE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BAE44 mov eax, dword ptr fs:[00000030h]	19_2_051BAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BAE44 mov eax, dword ptr fs:[00000030h]	19_2_051BAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510766D mov eax, dword ptr fs:[00000030h]	19_2_0510766D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518FE87 mov eax, dword ptr fs:[00000030h]	19_2_0518FE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051746A7 mov eax, dword ptr fs:[00000030h]	19_2_051746A7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]	19_2_051C0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]	19_2_051C0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]	19_2_051C0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8ED6 mov eax, dword ptr fs:[00000030h]	19_2_051C8ED6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05138EC7 mov eax, dword ptr fs:[00000030h]	19_2_05138EC7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051AFEC0 mov eax, dword ptr fs:[00000030h]	19_2_051AFEC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051236CC mov eax, dword ptr fs:[00000030h]	19_2_051236CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051216E0 mov ecx, dword ptr fs:[00000030h]	19_2_051216E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051076E2 mov eax, dword ptr fs:[00000030h]	19_2_051076E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]	19_2_050F9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]	19_2_050F9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]	19_2_050F9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512513A mov eax, dword ptr fs:[00000030h]	19_2_0512513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512513A mov eax, dword ptr fs:[00000030h]	19_2_0512513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov ecx, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B944 mov eax, dword ptr fs:[00000030h]	19_2_0511B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B944 mov eax, dword ptr fs:[00000030h]	19_2_0511B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC962 mov eax, dword ptr fs:[00000030h]	19_2_050FC962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB171 mov eax, dword ptr fs:[00000030h]	19_2_050FB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB171 mov eax, dword ptr fs:[00000030h]	19_2_050FB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122990 mov eax, dword ptr fs:[00000030h]	19_2_05122990
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511C182 mov eax, dword ptr fs:[00000030h]	19_2_0511C182
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A185 mov eax, dword ptr fs:[00000030h]	19_2_0512A185
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051769A6 mov eax, dword ptr fs:[00000030h]	19_2_051769A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051261A0 mov eax, dword ptr fs:[00000030h]	19_2_051261A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051261A0 mov eax, dword ptr fs:[00000030h]	19_2_051261A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]	19_2_050FB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]	19_2_050FB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]	19_2_050FB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051841E8 mov eax, dword ptr fs:[00000030h]	19_2_051841E8

Enables debug privileges

Source: C:\Users\user\Desktop\order.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Code function: 12_2_0056330B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,

12_2_0056330B

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\order.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\order.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\order.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\order.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: A20000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\order.exe	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'			Jump to behavior

Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.376117915.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: order.exe PID: 6008, type: MEMORY
Source: Yara match	File source: Process Memory Space: chkdsk.exe PID: 4888, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.152.65	unknown	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
pilatescollective.com	192.185.152.65	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: order.exe	Virustotal: Detection: 22%			Perma Link
Source: order.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: pilatescollective.com

Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000002.520398234.0000000006870000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: order.exe, 0000000C.00000002.415980723.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://pilatescollective.com/meantunde/komyydor_NMWgNRCNBM31.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: order.exe, 00000000.00000002.347850855.00000000006BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: order.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\order.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288E45 NtProtectVirtualMemory,	0_2_02288E45
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280ABA NtWriteVirtualMemory,TerminateProcess,	0_2_02280ABA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286E81 NtWriteVirtualMemory,	0_2_02286E81
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287738 NtSetInformationThread,	0_2_02287738
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280769 EnumWindows,NtSetInformationThread,	0_2_02280769
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280C12 NtWriteVirtualMemory,TerminateProcess,	0_2_02280C12
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022885C3 NtSetInformationThread,	0_2_022885C3
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283A2A NtWriteVirtualMemory,	0_2_02283A2A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283E16 NtWriteVirtualMemory,	0_2_02283E16
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283A77 NtWriteVirtualMemory,	0_2_02283A77
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02285243 NtWriteVirtualMemory,	0_2_02285243
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283A8D NtWriteVirtualMemory,	0_2_02283A8D
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283EF2 NtWriteVirtualMemory,	0_2_02283EF2
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283ADB NtWriteVirtualMemory,	0_2_02283ADB
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283F22 NtWriteVirtualMemory,	0_2_02283F22
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02289332 NtProtectVirtualMemory,	0_2_02289332
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283B1A NtWriteVirtualMemory,	0_2_02283B1A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283F62 NtWriteVirtualMemory,	0_2_02283F62
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283B7E NtWriteVirtualMemory,	0_2_02283B7E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022837A9 NtWriteVirtualMemory,	0_2_022837A9
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02285796 NtWriteVirtualMemory,	0_2_02285796
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022837E7 NtWriteVirtualMemory,	0_2_022837E7
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287BC8 NtSetInformationThread,	0_2_02287BC8
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283BD9 NtWriteVirtualMemory,	0_2_02283BD9
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280873 NtSetInformationThread,	0_2_02280873
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228384E NtWriteVirtualMemory,	0_2_0228384E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283C4E NtWriteVirtualMemory,	0_2_02283C4E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280856 NtSetInformationThread,	0_2_02280856
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022838AA NtWriteVirtualMemory,	0_2_022838AA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022838FA NtWriteVirtualMemory,	0_2_022838FA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283CCA NtWriteVirtualMemory,	0_2_02283CCA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022808C3 NtSetInformationThread,	0_2_022808C3
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228091B NtSetInformationThread,	0_2_0228091B
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283D17 NtWriteVirtualMemory,	0_2_02283D17
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02280960 NtSetInformationThread,	0_2_02280960
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228097A NtSetInformationThread,	0_2_0228097A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283D5F NtWriteVirtualMemory,	0_2_02283D5F
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022839A4 NtWriteVirtualMemory,	0_2_022839A4
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022839F6 NtWriteVirtualMemory,	0_2_022839F6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_1E3E9660
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_1E3E96E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	12_2_1E3E9710
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_1E3E97A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	12_2_1E3E9780
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9540 NtReadFile,LdrInitializeThunk,	12_2_1E3E9540
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E95D0 NtClose,LdrInitializeThunk,	12_2_1E3E95D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	12_2_1E3E9A20
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	12_2_1E3E9A00
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	12_2_1E3E9A50
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_1E3E9860
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	12_2_1E3E9840
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	12_2_1E3E98F0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_1E3E9910
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	12_2_1E3E99A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9610 NtEnumerateValueKey,	12_2_1E3E9610
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9670 NtQueryInformationProcess,	12_2_1E3E9670
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9650 NtQueryValueKey,	12_2_1E3E9650
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E96D0 NtCreateKey,	12_2_1E3E96D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9730 NtQueryVirtualMemory,	12_2_1E3E9730
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EA710 NtOpenProcessToken,	12_2_1E3EA710
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EA770 NtOpenThread,	12_2_1E3EA770
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9770 NtSetInformationFile,	12_2_1E3E9770
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9760 NtOpenProcess,	12_2_1E3E9760
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9FE0 NtCreateMutant,	12_2_1E3E9FE0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EAD30 NtSetContextThread,	12_2_1E3EAD30
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9520 NtWaitForSingleObject,	12_2_1E3E9520
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9560 NtWriteFile,	12_2_1E3E9560
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E95F0 NtQueryInformationFile,	12_2_1E3E95F0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A10 NtQuerySection,	12_2_1E3E9A10
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9A80 NtOpenDirectoryObject,	12_2_1E3E9A80
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9B00 NtSetValueKey,	12_2_1E3E9B00
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EA3B0 NtGetContextThread,	12_2_1E3EA3B0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9820 NtEnumerateKey,	12_2_1E3E9820
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3EB040 NtSuspendThread,	12_2_1E3EB040
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E98A0 NtWriteVirtualMemory,	12_2_1E3E98A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E9950 NtQueueApcThread,	12_2_1E3E9950
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E99D0 NtCreateProcessEx,	12_2_1E3E99D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056940A NtSetInformationThread,	12_2_0056940A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00564532 Sleep,NtProtectVirtualMemory,	12_2_00564532
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005685C3 LdrInitializeThunk,NtSetInformationThread,LdrInitializeThunk,	12_2_005685C3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00568E45 NtProtectVirtualMemory,	12_2_00568E45
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00563249 CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	12_2_00563249
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005646B4 LdrInitializeThunk,NtProtectVirtualMemory,	12_2_005646B4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560ABA NtProtectVirtualMemory,LdrInitializeThunk,	12_2_00560ABA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560769 EnumWindows,LdrInitializeThunk,NtSetInformationThread,	12_2_00560769
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056330B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,	12_2_0056330B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00567738 LdrInitializeThunk,NtSetInformationThread,	12_2_00567738
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560856 LdrInitializeThunk,NtSetInformationThread,	12_2_00560856
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569446 NtSetInformationThread,	12_2_00569446
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560873 LdrInitializeThunk,NtSetInformationThread,	12_2_00560873
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056947E NtSetInformationThread,	12_2_0056947E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569862 NtSetInformationThread,	12_2_00569862
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569410 NtSetInformationThread,	12_2_00569410
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056143E NtProtectVirtualMemory,	12_2_0056143E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056983A NtSetInformationThread,	12_2_0056983A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005698D4 NtSetInformationThread,	12_2_005698D4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005608C3 LdrInitializeThunk,NtSetInformationThread,	12_2_005608C3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005694F3 NtSetInformationThread,	12_2_005694F3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005694B6 NtSetInformationThread,	12_2_005694B6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005614A6 NtProtectVirtualMemory,	12_2_005614A6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005698A3 NtSetInformationThread,	12_2_005698A3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569972 NtSetInformationThread,	12_2_00569972
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056097A LdrInitializeThunk,NtSetInformationThread,	12_2_0056097A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00560960 LdrInitializeThunk,NtSetInformationThread,	12_2_00560960
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056956E NtSetInformationThread,	12_2_0056956E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056091B LdrInitializeThunk,NtSetInformationThread,	12_2_0056091B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056990A NtSetInformationThread,	12_2_0056990A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569932 NtSetInformationThread,	12_2_00569932
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005645D1 NtProtectVirtualMemory,	12_2_005645D1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005695CE NtSetInformationThread,	12_2_005695CE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005699F0 NtSetInformationThread,	12_2_005699F0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005699A6 NtSetInformationThread,	12_2_005699A6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569670 NtSetInformationThread,	12_2_00569670
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056467E LdrInitializeThunk,NtProtectVirtualMemory,	12_2_0056467E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056467A LdrInitializeThunk,NtProtectVirtualMemory,	12_2_0056467A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056461F NtProtectVirtualMemory,	12_2_0056461F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569603 NtSetInformationThread,	12_2_00569603
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00569A22 NtSetInformationThread,	12_2_00569A22
Source: C:\Windows\explorer.exe	Code function: 16_2_06D04A32 NtCreateFile,	16_2_06D04A32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139540 NtReadFile,LdrInitializeThunk,	19_2_05139540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051395D0 NtClose,LdrInitializeThunk,	19_2_051395D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139710 NtQueryInformationToken,LdrInitializeThunk,	19_2_05139710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139780 NtMapViewOfSection,LdrInitializeThunk,	19_2_05139780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139FE0 NtCreateMutant,LdrInitializeThunk,	19_2_05139FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139650 NtQueryValueKey,LdrInitializeThunk,	19_2_05139650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_05139660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051396D0 NtCreateKey,LdrInitializeThunk,	19_2_051396D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051396E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_051396E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_05139910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051399A0 NtCreateSection,LdrInitializeThunk,	19_2_051399A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139840 NtDelayExecution,LdrInitializeThunk,	19_2_05139840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_05139860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A50 NtCreateFile,LdrInitializeThunk,	19_2_05139A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513AD30 NtSetContextThread,	19_2_0513AD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139520 NtWaitForSingleObject,	19_2_05139520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139560 NtWriteFile,	19_2_05139560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051395F0 NtQueryInformationFile,	19_2_051395F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513A710 NtOpenProcessToken,	19_2_0513A710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139730 NtQueryVirtualMemory,	19_2_05139730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513A770 NtOpenThread,	19_2_0513A770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139770 NtSetInformationFile,	19_2_05139770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139760 NtOpenProcess,	19_2_05139760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051397A0 NtUnmapViewOfSection,	19_2_051397A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139610 NtEnumerateValueKey,	19_2_05139610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139670 NtQueryInformationProcess,	19_2_05139670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139950 NtQueueApcThread,	19_2_05139950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051399D0 NtCreateProcessEx,	19_2_051399D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139820 NtEnumerateKey,	19_2_05139820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513B040 NtSuspendThread,	19_2_0513B040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051398A0 NtWriteVirtualMemory,	19_2_051398A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051398F0 NtReadVirtualMemory,	19_2_051398F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139B00 NtSetValueKey,	19_2_05139B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0513A3B0 NtGetContextThread,	19_2_0513A3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A10 NtQuerySection,	19_2_05139A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A00 NtProtectVirtualMemory,	19_2_05139A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A20 NtResumeThread,	19_2_05139A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05139A80 NtOpenDirectoryObject,	19_2_05139A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9D40 NtCreateFile,	19_2_007B9D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9DF0 NtReadFile,	19_2_007B9DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9E70 NtClose,	19_2_007B9E70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9F20 NtAllocateVirtualMemory,	19_2_007B9F20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9D3B NtCreateFile,	19_2_007B9D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9DEA NtReadFile,	19_2_007B9DEA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B9F1A NtAllocateVirtualMemory,	19_2_007B9F1A

Detected potential crypto function

Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C6E30	12_2_1E3C6E30
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46D616	12_2_1E46D616
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E472EF7	12_2_1E472EF7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47DFCE	12_2_1E47DFCE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E471FF1	12_2_1E471FF1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46D466	12_2_1E46D466
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B841F	12_2_1E3B841F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E471D55	12_2_1E471D55
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A0D20	12_2_1E3A0D20
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E472D07	12_2_1E472D07
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4725DD	12_2_1E4725DD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BD5E0	12_2_1E3BD5E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45FA2B	12_2_1E45FA2B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4722AE	12_2_1E4722AE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E472B28	12_2_1E472B28
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAB40	12_2_1E3CAB40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DEBB0	12_2_1E3DEBB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46DBD2	12_2_1E46DBD2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4603DA	12_2_1E4603DA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461002	12_2_1E461002
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47E824	12_2_1E47E824
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB090	12_2_1E3BB090
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4728EC	12_2_1E4728EC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4720A8	12_2_1E4720A8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AF900	12_2_1E3AF900
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00081069	12_2_00081069
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00089862	12_2_00089862
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00081072	12_2_00081072
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00082CEC	12_2_00082CEC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00082CF2	12_2_00082CF2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00088132	12_2_00088132
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0008AA32	12_2_0008AA32
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00085B1F	12_2_00085B1F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00085B22	12_2_00085B22
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BE89C	12_2_000BE89C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BD8B1	12_2_000BD8B1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BE1F1	12_2_000BE1F1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A2D8A	12_2_000A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A2D90	12_2_000A2D90
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A9E40	12_2_000A9E40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCF83	12_2_000BCF83
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000A2FB0	12_2_000A2FB0
Source: C:\Windows\explorer.exe	Code function: 16_2_06D04A32	16_2_06D04A32
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFCCEC	16_2_06CFCCEC
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFCCF2	16_2_06CFCCF2
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFB069	16_2_06CFB069
Source: C:\Windows\explorer.exe	Code function: 16_2_06D03862	16_2_06D03862
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFB072	16_2_06CFB072
Source: C:\Windows\explorer.exe	Code function: 16_2_06D07A6F	16_2_06D07A6F
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFFB1F	16_2_06CFFB1F
Source: C:\Windows\explorer.exe	Code function: 16_2_06D07B0E	16_2_06D07B0E
Source: C:\Windows\explorer.exe	Code function: 16_2_06D02132	16_2_06D02132
Source: C:\Windows\explorer.exe	Code function: 16_2_06CFFB22	16_2_06CFFB22
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C2D07	19_2_051C2D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F0D20	19_2_050F0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C1D55	19_2_051C1D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C25DD	19_2_051C25DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510D5E0	19_2_0510D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510841F	19_2_0510841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BD466	19_2_051BD466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051CDFCE	19_2_051CDFCE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C1FF1	19_2_051C1FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BD616	19_2_051BD616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05116E30	19_2_05116E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C2EF7	19_2_051C2EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FF900	19_2_050FF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1002	19_2_051B1002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511A830	19_2_0511A830
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051CE824	19_2_051CE824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510B090	19_2_0510B090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051220A0	19_2_051220A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C20A8	19_2_051C20A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C28EC	19_2_051C28EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C2B28	19_2_051C2B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AB40	19_2_0511AB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512EBB0	19_2_0512EBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B03DA	19_2_051B03DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BDBD2	19_2_051BDBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051AFA2B	19_2_051AFA2B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C22AE	19_2_051C22AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BD8B1	19_2_007BD8B1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BE89C	19_2_007BE89C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BE1F1	19_2_007BE1F1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A2D90	19_2_007A2D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A2D8A	19_2_007A2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A9E40	19_2_007A9E40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007A2FB0	19_2_007A2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCF83	19_2_007BCF83

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 050FB150 appears 72 times
Source: C:\Users\user\Desktop\order.exe	Code function: String function: 1E3AB150 appears 54 times

PE file contains strange resources

Source: order.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: order.exe, 00000000.00000002.347334794.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
Source: order.exe, 00000000.00000002.348138525.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs order.exe
Source: order.exe, 0000000C.00000002.420922926.000000001DDA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs order.exe
Source: order.exe, 0000000C.00000002.420991234.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs order.exe
Source: order.exe, 0000000C.00000000.346370402.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
Source: order.exe, 0000000C.00000002.421651645.000000001E49F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs order.exe
Source: order.exe, 0000000C.00000002.415954016.00000000000D6000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs order.exe
Source: order.exe	Binary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe

Yara signature match

Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@7/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_01

Source: order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\order.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\order.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: order.exe	Virustotal: Detection: 22%
Source: order.exe	ReversingLabs: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
Source: unknown	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order.exe	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'	Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source:	Binary string: chkdsk.pdbGCTL source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: order.exe, 0000000C.00000002.421351071.000000001E380000.00000040.00000001.sdmp, chkdsk.exe, 00000013.00000002.507166731.00000000050D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: order.exe, chkdsk.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: order.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: order.exe PID: 6008, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: order.exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: order.exe PID: 6008, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_00412675 push eax; ret	0_2_004126B4
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287249 push FFFFFFB9h; retf	0_2_022872AB
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022872BF push FFFFFFB9h; retf	0_2_022872AB
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022872BF push FFFFFFB9h; retf	0_2_022872CA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022892B0 push dword ptr [edx]; ret	0_2_022892B7
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286FAE push FFFFFFB9h; retf	0_2_02286FB9
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286FCD push FFFFFFB9h; retf	0_2_02286FD8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3FD0D1 push ecx; ret	12_2_1E3FD0E4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0008E3E6 pushad ; ret	12_2_0008E3E7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B60A4 push esp; ret	12_2_000B60A8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B79B8 push es; retf	12_2_000B79BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B7AD6 push edi; iretd	12_2_000B7AD7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000B63D0 push ecx; iretd	12_2_000B63D2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCE95 push eax; ret	12_2_000BCEE8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCEEB push eax; ret	12_2_000BCF52
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCEE2 push eax; ret	12_2_000BCEE8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_000BCF4C push eax; ret	12_2_000BCF52
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00567249 push FFFFFFB9h; retf	12_2_005672AB
Source: C:\Windows\explorer.exe	Code function: 16_2_06D083E6 pushad ; ret	16_2_06D083E7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0514D0D1 push ecx; ret	19_2_0514D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B60A4 push esp; ret	19_2_007B60A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B79B8 push es; retf	19_2_007B79BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B7AD6 push edi; iretd	19_2_007B7AD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007B63D0 push ecx; iretd	19_2_007B63D2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCEEB push eax; ret	19_2_007BCF52
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCEE2 push eax; ret	19_2_007BCEE8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCE95 push eax; ret	19_2_007BCEE8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_007BCF4C push eax; ret	19_2_007BCF52

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED

Source: C:\Users\user\Desktop\order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\order.exe

Tries to detect Any.run

Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: order.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002287CB9 second address: 0000000002287CB9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1FCF53148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov bx, 04F4h 0x00000024 cmp bx, 04F4h 0x00000029 jne 00007FA1FCF4BD76h 0x0000002f popad 0x00000030 jmp 00007FA1FCF5316Ah 0x00000032 cmp bx, bx 0x00000035 cmp dh, ah 0x00000037 add edi, edx 0x00000039 dec dword ptr [ebp+000000F8h] 0x0000003f cmp dl, bl 0x00000041 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000048 jne 00007FA1FCF530E7h 0x0000004a test dl, al 0x0000004c nop 0x0000004d call 00007FA1FCF531DDh 0x00000052 call 00007FA1FCF5315Ah 0x00000057 lfence 0x0000005a mov edx, dword ptr [7FFE0014h] 0x00000060 lfence 0x00000063 ret 0x00000064 mov esi, edx 0x00000066 pushad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000002287CDB second address: 0000000002287CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCD29D0Ch 0x0000001f popad 0x00000020 call 00007FA1FCD29718h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000000567CDB second address: 0000000000567CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCF538ACh 0x0000001f popad 0x00000020 call 00007FA1FCF532B8h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000000567689 second address: 0000000000567689 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr [ebp+64h] 0x00000006 test ch, bh 0x00000008 mov bx, word ptr [edx+00010040h] 0x0000000f cmp al, 0Bh 0x00000011 mov ax, word ptr [eax] 0x00000014 xor ax, cx 0x00000017 xor bx, ax 0x0000001a cmp esi, 54674AF8h 0x00000020 cmp bx, 5A4Dh 0x00000025 je 00007FA1FCD295D4h 0x00000027 jmp 00007FA1FCD295C6h 0x00000029 test ch, FFFFFFA5h 0x0000002c inc cx 0x0000002e jmp 00007FA1FCD29548h 0x00000030 pushad 0x00000031 mov edx, 000000D4h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\order.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000007A98E4 second address: 00000000007A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 00000000007A9B5E second address: 00000000007A9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02287738 rdtsc

0_2_02287738

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\order.exe TID: 5184

Thread sleep count: 186 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000010.00000000.391821194.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000002.520456319.00000000068B8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWe_%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000000.396640200.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000010.00000000.376117915.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: order.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\order.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02287738 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,02280914,00000000,00000000,00000000,00000000,?

0_2_02287738

Hides threads from debuggers

Source: C:\Users\user\Desktop\order.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\order.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02287738 rdtsc

0_2_02287738

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\order.exe

Code function: 0_2_02284CF3 LdrInitializeThunk,

0_2_02284CF3

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286E81 mov eax, dword ptr fs:[00000030h]	0_2_02286E81
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022885C3 mov eax, dword ptr fs:[00000030h]	0_2_022885C3
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288633 mov eax, dword ptr fs:[00000030h]	0_2_02288633
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288603 mov eax, dword ptr fs:[00000030h]	0_2_02288603
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228865F mov eax, dword ptr fs:[00000030h]	0_2_0228865F
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228868A mov eax, dword ptr fs:[00000030h]	0_2_0228868A
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02286E83 mov eax, dword ptr fs:[00000030h]	0_2_02286E83
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022886CA mov eax, dword ptr fs:[00000030h]	0_2_022886CA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02288323 mov eax, dword ptr fs:[00000030h]	0_2_02288323
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022843B0 mov eax, dword ptr fs:[00000030h]	0_2_022843B0
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02283067 mov eax, dword ptr fs:[00000030h]	0_2_02283067
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02287879 mov eax, dword ptr fs:[00000030h]	0_2_02287879
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02282CED mov eax, dword ptr fs:[00000030h]	0_2_02282CED
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022830CA mov eax, dword ptr fs:[00000030h]	0_2_022830CA
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_0228252E mov eax, dword ptr fs:[00000030h]	0_2_0228252E
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_02282D18 mov eax, dword ptr fs:[00000030h]	0_2_02282D18
Source: C:\Users\user\Desktop\order.exe	Code function: 0_2_022885C8 mov eax, dword ptr fs:[00000030h]	0_2_022885C8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	12_2_1E46AE44
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	12_2_1E46AE44
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	12_2_1E3AE620
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	12_2_1E3DA61C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	12_2_1E3DA61C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC600
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC600
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC600
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	12_2_1E3D8E00
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461608 mov eax, dword ptr fs:[00000030h]	12_2_1E461608
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	12_2_1E3CAE73
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B766D mov eax, dword ptr fs:[00000030h]	12_2_1E3B766D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	12_2_1E45FE3F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	12_2_1E3B7E41
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	12_2_1E45FEC0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	12_2_1E478ED6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	12_2_1E43FE87
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3B76E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	12_2_1E3D16E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	12_2_1E470EA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	12_2_1E470EA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	12_2_1E470EA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	12_2_1E4246A7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	12_2_1E3D36CC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	12_2_1E3E8EC7
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	12_2_1E3DE730
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	12_2_1E3A4F2E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	12_2_1E3A4F2E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	12_2_1E3CF716
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478F6A mov eax, dword ptr fs:[00000030h]	12_2_1E478F6A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	12_2_1E3DA70E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	12_2_1E3DA70E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]	12_2_1E47070D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]	12_2_1E47070D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	12_2_1E43FF10
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	12_2_1E43FF10
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	12_2_1E3BFF60
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	12_2_1E3BEF40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	12_2_1E3B8794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	12_2_1E3E37F5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]	12_2_1E427794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]	12_2_1E427794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]	12_2_1E427794
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	12_2_1E3DBC2C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]	12_2_1E43C450
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]	12_2_1E43C450
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]	12_2_1E461C06
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]	12_2_1E426C0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]	12_2_1E47740D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]	12_2_1E47740D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]	12_2_1E47740D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C746D mov eax, dword ptr fs:[00000030h]	12_2_1E3C746D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	12_2_1E3DA44B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	12_2_1E478CD6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B849B mov eax, dword ptr fs:[00000030h]	12_2_1E3B849B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	12_2_1E426CF0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	12_2_1E426CF0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	12_2_1E426CF0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4614FB mov eax, dword ptr fs:[00000030h]	12_2_1E4614FB
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E423540 mov eax, dword ptr fs:[00000030h]	12_2_1E423540
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E453D40 mov eax, dword ptr fs:[00000030h]	12_2_1E453D40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	12_2_1E3D4D3B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	12_2_1E3D4D3B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	12_2_1E3D4D3B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	12_2_1E3AAD30
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	12_2_1E3B3D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	12_2_1E3CC577
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	12_2_1E3CC577
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	12_2_1E3C7D50
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478D34 mov eax, dword ptr fs:[00000030h]	12_2_1E478D34
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E42A537 mov eax, dword ptr fs:[00000030h]	12_2_1E42A537
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	12_2_1E3E3D43
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46E539 mov eax, dword ptr fs:[00000030h]	12_2_1E46E539
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_1E3D1DB5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_1E3D1DB5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_1E3D1DB5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	12_2_1E426DC9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	12_2_1E3D35A1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	12_2_1E46FDE2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	12_2_1E3DFD9B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	12_2_1E3DFD9B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	12_2_1E3A2D8A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	12_2_1E458DF1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2581
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BD5E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BD5E0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4705AC mov eax, dword ptr fs:[00000030h]	12_2_1E4705AC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4705AC mov eax, dword ptr fs:[00000030h]	12_2_1E4705AC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	12_2_1E3E4A2C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	12_2_1E3E4A2C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46EA55 mov eax, dword ptr fs:[00000030h]	12_2_1E46EA55
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E434257 mov eax, dword ptr fs:[00000030h]	12_2_1E434257
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA229
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	12_2_1E3C3A1C
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45B260 mov eax, dword ptr fs:[00000030h]	12_2_1E45B260
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45B260 mov eax, dword ptr fs:[00000030h]	12_2_1E45B260
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478A62 mov eax, dword ptr fs:[00000030h]	12_2_1E478A62
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	12_2_1E3A5210
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	12_2_1E3AAA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	12_2_1E3AAA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	12_2_1E3B8A0A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E927A mov eax, dword ptr fs:[00000030h]	12_2_1E3E927A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	12_2_1E46AA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	12_2_1E46AA16
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9240
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BAAB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	12_2_1E3BAAB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	12_2_1E3DFAB0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	12_2_1E3A52A5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	12_2_1E3DD294
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	12_2_1E3DD294
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2AE4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	12_2_1E3D2ACB
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E478B58 mov eax, dword ptr fs:[00000030h]	12_2_1E478B58
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	12_2_1E3D3B7A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	12_2_1E3D3B7A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	12_2_1E3ADB60
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46131B mov eax, dword ptr fs:[00000030h]	12_2_1E46131B
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	12_2_1E3AF358
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	12_2_1E3ADB40
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4253CA mov eax, dword ptr fs:[00000030h]	12_2_1E4253CA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4253CA mov eax, dword ptr fs:[00000030h]	12_2_1E4253CA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	12_2_1E3D4BAD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	12_2_1E3D4BAD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	12_2_1E3D4BAD
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2397
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	12_2_1E3DB390
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	12_2_1E3B1B8F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	12_2_1E3B1B8F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	12_2_1E45D380
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E46138A mov eax, dword ptr fs:[00000030h]	12_2_1E46138A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	12_2_1E3CDBE9
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	12_2_1E3D03E2
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	12_2_1E475BA5
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	12_2_1E3CA830
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]	12_2_1E3D002D
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	12_2_1E3BB02A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E471074 mov eax, dword ptr fs:[00000030h]	12_2_1E471074
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E462073 mov eax, dword ptr fs:[00000030h]	12_2_1E462073
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E474015 mov eax, dword ptr fs:[00000030h]	12_2_1E474015
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E474015 mov eax, dword ptr fs:[00000030h]	12_2_1E474015
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]	12_2_1E427016
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]	12_2_1E427016
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]	12_2_1E427016
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	12_2_1E3C0050
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	12_2_1E3C0050
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	12_2_1E3DF0BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	12_2_1E3DF0BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	12_2_1E3DF0BF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	12_2_1E3E90AF
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	12_2_1E43B8D0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D20A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9080
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E423884 mov eax, dword ptr fs:[00000030h]	12_2_1E423884
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E423884 mov eax, dword ptr fs:[00000030h]	12_2_1E423884
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	12_2_1E3A58EC
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3A40E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3A40E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3A40E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D513A mov eax, dword ptr fs:[00000030h]	12_2_1E3D513A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D513A mov eax, dword ptr fs:[00000030h]	12_2_1E3D513A
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	12_2_1E3C4120
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9100
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9100
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	12_2_1E3A9100
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB171
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB171
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	12_2_1E3AC962
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	12_2_1E3CB944
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	12_2_1E3CB944
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D61A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	12_2_1E3D61A0
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	12_2_1E4341E8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	12_2_1E3D2990
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	12_2_1E3DA185
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	12_2_1E3CC182
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB1E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB1E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_1E3AB1E1
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	12_2_1E4649A4
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	12_2_1E4269A6
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]	12_2_1E4251BE
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005630CA mov eax, dword ptr fs:[00000030h]	12_2_005630CA
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005685C3 mov eax, dword ptr fs:[00000030h]	12_2_005685C3
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00567879 mov eax, dword ptr fs:[00000030h]	12_2_00567879
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00562CED mov eax, dword ptr fs:[00000030h]	12_2_00562CED
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056252E mov eax, dword ptr fs:[00000030h]	12_2_0056252E
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_005685C8 mov eax, dword ptr fs:[00000030h]	12_2_005685C8
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_0056865F mov eax, dword ptr fs:[00000030h]	12_2_0056865F
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00568603 mov eax, dword ptr fs:[00000030h]	12_2_00568603
Source: C:\Users\user\Desktop\order.exe	Code function: 12_2_00568633 mov eax, dword ptr fs:[00000030h]	12_2_00568633
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0517A537 mov eax, dword ptr fs:[00000030h]	19_2_0517A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BE539 mov eax, dword ptr fs:[00000030h]	19_2_051BE539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]	19_2_05103D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8D34 mov eax, dword ptr fs:[00000030h]	19_2_051C8D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]	19_2_05124D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]	19_2_05124D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]	19_2_05124D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FAD30 mov eax, dword ptr fs:[00000030h]	19_2_050FAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05117D50 mov eax, dword ptr fs:[00000030h]	19_2_05117D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05133D43 mov eax, dword ptr fs:[00000030h]	19_2_05133D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05173540 mov eax, dword ptr fs:[00000030h]	19_2_05173540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051A3D40 mov eax, dword ptr fs:[00000030h]	19_2_051A3D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511C577 mov eax, dword ptr fs:[00000030h]	19_2_0511C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511C577 mov eax, dword ptr fs:[00000030h]	19_2_0511C577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]	19_2_050F2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512FD9B mov eax, dword ptr fs:[00000030h]	19_2_0512FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512FD9B mov eax, dword ptr fs:[00000030h]	19_2_0512FD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]	19_2_05122581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]	19_2_05121DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]	19_2_05121DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]	19_2_05121DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C05AC mov eax, dword ptr fs:[00000030h]	19_2_051C05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C05AC mov eax, dword ptr fs:[00000030h]	19_2_051C05AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051235A1 mov eax, dword ptr fs:[00000030h]	19_2_051235A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov ecx, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]	19_2_05176DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051A8DF1 mov eax, dword ptr fs:[00000030h]	19_2_051A8DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0510D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510D5E0 mov eax, dword ptr fs:[00000030h]	19_2_0510D5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]	19_2_051BFDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]	19_2_051C740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]	19_2_051C740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]	19_2_051C740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]	19_2_051B1C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]	19_2_05176C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512BC2C mov eax, dword ptr fs:[00000030h]	19_2_0512BC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518C450 mov eax, dword ptr fs:[00000030h]	19_2_0518C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518C450 mov eax, dword ptr fs:[00000030h]	19_2_0518C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A44B mov eax, dword ptr fs:[00000030h]	19_2_0512A44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511746D mov eax, dword ptr fs:[00000030h]	19_2_0511746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510849B mov eax, dword ptr fs:[00000030h]	19_2_0510849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8CD6 mov eax, dword ptr fs:[00000030h]	19_2_051C8CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B14FB mov eax, dword ptr fs:[00000030h]	19_2_051B14FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]	19_2_05176CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]	19_2_05176CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]	19_2_05176CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511F716 mov eax, dword ptr fs:[00000030h]	19_2_0511F716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518FF10 mov eax, dword ptr fs:[00000030h]	19_2_0518FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518FF10 mov eax, dword ptr fs:[00000030h]	19_2_0518FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C070D mov eax, dword ptr fs:[00000030h]	19_2_051C070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C070D mov eax, dword ptr fs:[00000030h]	19_2_051C070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A70E mov eax, dword ptr fs:[00000030h]	19_2_0512A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A70E mov eax, dword ptr fs:[00000030h]	19_2_0512A70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F4F2E mov eax, dword ptr fs:[00000030h]	19_2_050F4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F4F2E mov eax, dword ptr fs:[00000030h]	19_2_050F4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512E730 mov eax, dword ptr fs:[00000030h]	19_2_0512E730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B73D mov eax, dword ptr fs:[00000030h]	19_2_0511B73D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B73D mov eax, dword ptr fs:[00000030h]	19_2_0511B73D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510EF40 mov eax, dword ptr fs:[00000030h]	19_2_0510EF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510FF60 mov eax, dword ptr fs:[00000030h]	19_2_0510FF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8F6A mov eax, dword ptr fs:[00000030h]	19_2_051C8F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]	19_2_05177794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]	19_2_05177794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]	19_2_05177794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05108794 mov eax, dword ptr fs:[00000030h]	19_2_05108794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051337F5 mov eax, dword ptr fs:[00000030h]	19_2_051337F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A61C mov eax, dword ptr fs:[00000030h]	19_2_0512A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A61C mov eax, dword ptr fs:[00000030h]	19_2_0512A61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]	19_2_050FC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]	19_2_050FC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]	19_2_050FC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05128E00 mov eax, dword ptr fs:[00000030h]	19_2_05128E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B1608 mov eax, dword ptr fs:[00000030h]	19_2_051B1608
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051AFE3F mov eax, dword ptr fs:[00000030h]	19_2_051AFE3F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FE620 mov eax, dword ptr fs:[00000030h]	19_2_050FE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]	19_2_05107E41
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BAE44 mov eax, dword ptr fs:[00000030h]	19_2_051BAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051BAE44 mov eax, dword ptr fs:[00000030h]	19_2_051BAE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]	19_2_0511AE73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0510766D mov eax, dword ptr fs:[00000030h]	19_2_0510766D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0518FE87 mov eax, dword ptr fs:[00000030h]	19_2_0518FE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051746A7 mov eax, dword ptr fs:[00000030h]	19_2_051746A7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]	19_2_051C0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]	19_2_051C0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]	19_2_051C0EA5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051C8ED6 mov eax, dword ptr fs:[00000030h]	19_2_051C8ED6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05138EC7 mov eax, dword ptr fs:[00000030h]	19_2_05138EC7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051AFEC0 mov eax, dword ptr fs:[00000030h]	19_2_051AFEC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051236CC mov eax, dword ptr fs:[00000030h]	19_2_051236CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051216E0 mov ecx, dword ptr fs:[00000030h]	19_2_051216E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051076E2 mov eax, dword ptr fs:[00000030h]	19_2_051076E2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]	19_2_050F9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]	19_2_050F9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]	19_2_050F9100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512513A mov eax, dword ptr fs:[00000030h]	19_2_0512513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512513A mov eax, dword ptr fs:[00000030h]	19_2_0512513A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05114120 mov ecx, dword ptr fs:[00000030h]	19_2_05114120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B944 mov eax, dword ptr fs:[00000030h]	19_2_0511B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511B944 mov eax, dword ptr fs:[00000030h]	19_2_0511B944
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FC962 mov eax, dword ptr fs:[00000030h]	19_2_050FC962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB171 mov eax, dword ptr fs:[00000030h]	19_2_050FB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB171 mov eax, dword ptr fs:[00000030h]	19_2_050FB171
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_05122990 mov eax, dword ptr fs:[00000030h]	19_2_05122990
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0511C182 mov eax, dword ptr fs:[00000030h]	19_2_0511C182
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_0512A185 mov eax, dword ptr fs:[00000030h]	19_2_0512A185
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]	19_2_051751BE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]	19_2_051199BF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051769A6 mov eax, dword ptr fs:[00000030h]	19_2_051769A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051261A0 mov eax, dword ptr fs:[00000030h]	19_2_051261A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051261A0 mov eax, dword ptr fs:[00000030h]	19_2_051261A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]	19_2_051B49A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]	19_2_050FB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]	19_2_050FB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]	19_2_050FB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 19_2_051841E8 mov eax, dword ptr fs:[00000030h]	19_2_051841E8

Enables debug privileges

Source: C:\Users\user\Desktop\order.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\order.exe

Code function: 12_2_0056330B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,

12_2_0056330B

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\order.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\order.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\order.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\order.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\order.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: A20000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\order.exe	Process created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'			Jump to behavior

Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.376117915.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: order.exe PID: 6008, type: MEMORY
Source: Yara match	File source: Process Memory Space: chkdsk.exe PID: 4888, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

ID:	320634
Product:	CloudBasic
Start time:	16:08:34
Start date:	19.11.2020
Sample:	order.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	27d7951ec430f93458370a00272d823d
SHA1:	195eef585ef2307027df1ff05678ea2be23ae25e
SHA256:	306d4c4068a82c3c744c534054536b99a0887d71f194a0dcb689bfea9fd0e0f3
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report order.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains