Loading ...

Play interactive tourEdit tour

Analysis Report order.exe

Overview

General Information

Sample Name:order.exe
Analysis ID:320634
MD5:27d7951ec430f93458370a00272d823d
SHA1:195eef585ef2307027df1ff05678ea2be23ae25e
SHA256:306d4c4068a82c3c744c534054536b99a0887d71f194a0dcb689bfea9fd0e0f3
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\order.exe' MD5: 27D7951EC430F93458370A00272D823D)
    • order.exe (PID: 6008 cmdline: 'C:\Users\user\Desktop\order.exe' MD5: 27D7951EC430F93458370A00272D823D)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 4888 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5336 cmdline: /c del 'C:\Users\user\Desktop\order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x3034:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: order.exeVirustotal: Detection: 22%Perma Link
      Source: order.exeReversingLabs: Detection: 41%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS traffic detected: queries for: pilatescollective.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000010.00000002.520398234.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: order.exe, 0000000C.00000002.415980723.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://pilatescollective.com/meantunde/komyydor_NMWgNRCNBM31.bin
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: order.exe, 00000000.00000002.347850855.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: order.exe
      Source: C:\Users\user\Desktop\order.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288E45 NtProtectVirtualMemory,0_2_02288E45
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280ABA NtWriteVirtualMemory,TerminateProcess,0_2_02280ABA
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286E81 NtWriteVirtualMemory,0_2_02286E81
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 NtSetInformationThread,0_2_02287738
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280769 EnumWindows,NtSetInformationThread,0_2_02280769
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280C12 NtWriteVirtualMemory,TerminateProcess,0_2_02280C12
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022885C3 NtSetInformationThread,0_2_022885C3
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283A2A NtWriteVirtualMemory,0_2_02283A2A
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283E16 NtWriteVirtualMemory,0_2_02283E16
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283A77 NtWriteVirtualMemory,0_2_02283A77
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02285243 NtWriteVirtualMemory,0_2_02285243
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283A8D NtWriteVirtualMemory,0_2_02283A8D
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283EF2 NtWriteVirtualMemory,0_2_02283EF2
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283ADB NtWriteVirtualMemory,0_2_02283ADB
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283F22 NtWriteVirtualMemory,0_2_02283F22
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02289332 NtProtectVirtualMemory,0_2_02289332
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283B1A NtWriteVirtualMemory,0_2_02283B1A
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283F62 NtWriteVirtualMemory,0_2_02283F62
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283B7E NtWriteVirtualMemory,0_2_02283B7E
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022837A9 NtWriteVirtualMemory,0_2_022837A9
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02285796 NtWriteVirtualMemory,0_2_02285796
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022837E7 NtWriteVirtualMemory,0_2_022837E7
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287BC8 NtSetInformationThread,0_2_02287BC8
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283BD9 NtWriteVirtualMemory,0_2_02283BD9
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280873 NtSetInformationThread,0_2_02280873
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228384E NtWriteVirtualMemory,0_2_0228384E
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283C4E NtWriteVirtualMemory,0_2_02283C4E
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280856 NtSetInformationThread,0_2_02280856
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022838AA NtWriteVirtualMemory,0_2_022838AA
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022838FA NtWriteVirtualMemory,0_2_022838FA
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283CCA NtWriteVirtualMemory,0_2_02283CCA
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022808C3 NtSetInformationThread,0_2_022808C3
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228091B NtSetInformationThread,0_2_0228091B
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283D17 NtWriteVirtualMemory,0_2_02283D17
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280960 NtSetInformationThread,0_2_02280960
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228097A NtSetInformationThread,0_2_0228097A
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283D5F NtWriteVirtualMemory,0_2_02283D5F
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022839A4 NtWriteVirtualMemory,0_2_022839A4
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022839F6 NtWriteVirtualMemory,0_2_022839F6
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_1E3E9660
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_1E3E96E0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,12_2_1E3E9710
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,12_2_1E3E97A0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,12_2_1E3E9780
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9540 NtReadFile,LdrInitializeThunk,12_2_1E3E9540
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E95D0 NtClose,LdrInitializeThunk,12_2_1E3E95D0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,12_2_1E3E9A20
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,12_2_1E3E9A00
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,12_2_1E3E9A50
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_1E3E9860
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,12_2_1E3E9840
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,12_2_1E3E98F0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_1E3E9910
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,12_2_1E3E99A0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9610 NtEnumerateValueKey,12_2_1E3E9610
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9670 NtQueryInformationProcess,12_2_1E3E9670
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9650 NtQueryValueKey,12_2_1E3E9650
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E96D0 NtCreateKey,12_2_1E3E96D0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9730 NtQueryVirtualMemory,12_2_1E3E9730
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EA710 NtOpenProcessToken,12_2_1E3EA710
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EA770 NtOpenThread,12_2_1E3EA770
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9770 NtSetInformationFile,12_2_1E3E9770
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9760 NtOpenProcess,12_2_1E3E9760
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9FE0 NtCreateMutant,12_2_1E3E9FE0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EAD30 NtSetContextThread,12_2_1E3EAD30
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9520 NtWaitForSingleObject,12_2_1E3E9520
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9560 NtWriteFile,12_2_1E3E9560
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E95F0 NtQueryInformationFile,12_2_1E3E95F0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A10 NtQuerySection,12_2_1E3E9A10
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A80 NtOpenDirectoryObject,12_2_1E3E9A80
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9B00 NtSetValueKey,12_2_1E3E9B00
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EA3B0 NtGetContextThread,12_2_1E3EA3B0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9820 NtEnumerateKey,12_2_1E3E9820
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EB040 NtSuspendThread,12_2_1E3EB040
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E98A0 NtWriteVirtualMemory,12_2_1E3E98A0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9950 NtQueueApcThread,12_2_1E3E9950
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E99D0 NtCreateProcessEx,12_2_1E3E99D0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056940A NtSetInformationThread,12_2_0056940A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00564532 Sleep,NtProtectVirtualMemory,12_2_00564532
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005685C3 LdrInitializeThunk,NtSetInformationThread,LdrInitializeThunk,12_2_005685C3
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00568E45 NtProtectVirtualMemory,12_2_00568E45
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00563249 CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,12_2_00563249
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005646B4 LdrInitializeThunk,NtProtectVirtualMemory,12_2_005646B4
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560ABA NtProtectVirtualMemory,LdrInitializeThunk,12_2_00560ABA
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560769 EnumWindows,LdrInitializeThunk,NtSetInformationThread,12_2_00560769
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056330B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,12_2_0056330B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00567738 LdrInitializeThunk,NtSetInformationThread,12_2_00567738
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560856 LdrInitializeThunk,NtSetInformationThread,12_2_00560856
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569446 NtSetInformationThread,12_2_00569446
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560873 LdrInitializeThunk,NtSetInformationThread,12_2_00560873
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056947E NtSetInformationThread,12_2_0056947E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569862 NtSetInformationThread,12_2_00569862
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569410 NtSetInformationThread,12_2_00569410
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056143E NtProtectVirtualMemory,12_2_0056143E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056983A NtSetInformationThread,12_2_0056983A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005698D4 NtSetInformationThread,12_2_005698D4
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005608C3 LdrInitializeThunk,NtSetInformationThread,12_2_005608C3
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005694F3 NtSetInformationThread,12_2_005694F3
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005694B6 NtSetInformationThread,12_2_005694B6
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005614A6 NtProtectVirtualMemory,12_2_005614A6
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005698A3 NtSetInformationThread,12_2_005698A3
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569972 NtSetInformationThread,12_2_00569972
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056097A LdrInitializeThunk,NtSetInformationThread,12_2_0056097A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560960 LdrInitializeThunk,NtSetInformationThread,12_2_00560960
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056956E NtSetInformationThread,12_2_0056956E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056091B LdrInitializeThunk,NtSetInformationThread,12_2_0056091B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056990A NtSetInformationThread,12_2_0056990A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569932 NtSetInformationThread,12_2_00569932
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005645D1 NtProtectVirtualMemory,12_2_005645D1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005695CE NtSetInformationThread,12_2_005695CE
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005699F0 NtSetInformationThread,12_2_005699F0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005699A6 NtSetInformationThread,12_2_005699A6
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569670 NtSetInformationThread,12_2_00569670
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056467E LdrInitializeThunk,NtProtectVirtualMemory,12_2_0056467E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056467A LdrInitializeThunk,NtProtectVirtualMemory,12_2_0056467A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056461F NtProtectVirtualMemory,12_2_0056461F
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569603 NtSetInformationThread,12_2_00569603
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569A22 NtSetInformationThread,12_2_00569A22
      Source: C:\Windows\explorer.exeCode function: 16_2_06D04A32 NtCreateFile,16_2_06D04A32
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139540 NtReadFile,LdrInitializeThunk,19_2_05139540
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051395D0 NtClose,LdrInitializeThunk,19_2_051395D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139710 NtQueryInformationToken,LdrInitializeThunk,19_2_05139710
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139780 NtMapViewOfSection,LdrInitializeThunk,19_2_05139780
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139FE0 NtCreateMutant,LdrInitializeThunk,19_2_05139FE0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139650 NtQueryValueKey,LdrInitializeThunk,19_2_05139650
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_05139660
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051396D0 NtCreateKey,LdrInitializeThunk,19_2_051396D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051396E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_051396E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_05139910
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051399A0 NtCreateSection,LdrInitializeThunk,19_2_051399A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139840 NtDelayExecution,LdrInitializeThunk,19_2_05139840
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139860 NtQuerySystemInformation,LdrInitializeThunk,19_2_05139860
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A50 NtCreateFile,LdrInitializeThunk,19_2_05139A50
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513AD30 NtSetContextThread,19_2_0513AD30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139520 NtWaitForSingleObject,19_2_05139520
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139560 NtWriteFile,19_2_05139560
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051395F0 NtQueryInformationFile,19_2_051395F0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513A710 NtOpenProcessToken,19_2_0513A710
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139730 NtQueryVirtualMemory,19_2_05139730
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513A770 NtOpenThread,19_2_0513A770
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139770 NtSetInformationFile,19_2_05139770
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139760 NtOpenProcess,19_2_05139760
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051397A0 NtUnmapViewOfSection,19_2_051397A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139610 NtEnumerateValueKey,19_2_05139610
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139670 NtQueryInformationProcess,19_2_05139670
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139950 NtQueueApcThread,19_2_05139950
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051399D0 NtCreateProcessEx,19_2_051399D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139820 NtEnumerateKey,19_2_05139820
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513B040 NtSuspendThread,19_2_0513B040
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051398A0 NtWriteVirtualMemory,19_2_051398A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051398F0 NtReadVirtualMemory,19_2_051398F0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139B00 NtSetValueKey,19_2_05139B00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513A3B0 NtGetContextThread,19_2_0513A3B0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A10 NtQuerySection,19_2_05139A10
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A00 NtProtectVirtualMemory,19_2_05139A00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A20 NtResumeThread,19_2_05139A20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A80 NtOpenDirectoryObject,19_2_05139A80
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9D40 NtCreateFile,19_2_007B9D40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9DF0 NtReadFile,19_2_007B9DF0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9E70 NtClose,19_2_007B9E70
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9F20 NtAllocateVirtualMemory,19_2_007B9F20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9D3B NtCreateFile,19_2_007B9D3B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9DEA NtReadFile,19_2_007B9DEA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9F1A NtAllocateVirtualMemory,19_2_007B9F1A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C6E3012_2_1E3C6E30
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46D61612_2_1E46D616
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E472EF712_2_1E472EF7
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47DFCE12_2_1E47DFCE
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E471FF112_2_1E471FF1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46D46612_2_1E46D466
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B841F12_2_1E3B841F
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E471D5512_2_1E471D55
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A0D2012_2_1E3A0D20
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E472D0712_2_1E472D07
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4725DD12_2_1E4725DD
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D258112_2_1E3D2581
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BD5E012_2_1E3BD5E0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45FA2B12_2_1E45FA2B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4722AE12_2_1E4722AE
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E472B2812_2_1E472B28
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAB4012_2_1E3CAB40
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DEBB012_2_1E3DEBB0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46DBD212_2_1E46DBD2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4603DA12_2_1E4603DA
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA83012_2_1E3CA830
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46100212_2_1E461002
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47E82412_2_1E47E824
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A012_2_1E3D20A0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BB09012_2_1E3BB090
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4728EC12_2_1E4728EC
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4720A812_2_1E4720A8
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C412012_2_1E3C4120
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AF90012_2_1E3AF900
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008106912_2_00081069
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008986212_2_00089862
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008107212_2_00081072
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00082CEC12_2_00082CEC
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00082CF212_2_00082CF2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008813212_2_00088132
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008AA3212_2_0008AA32
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00085B1F12_2_00085B1F
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00085B2212_2_00085B22
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BE89C12_2_000BE89C
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BD8B112_2_000BD8B1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BE1F112_2_000BE1F1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A2D8A12_2_000A2D8A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A2D9012_2_000A2D90
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A9E4012_2_000A9E40
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCF8312_2_000BCF83
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A2FB012_2_000A2FB0
      Source: C:\Windows\explorer.exeCode function: 16_2_06D04A3216_2_06D04A32
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFCCEC16_2_06CFCCEC
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFCCF216_2_06CFCCF2
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFB06916_2_06CFB069
      Source: C:\Windows\explorer.exeCode function: 16_2_06D0386216_2_06D03862
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFB07216_2_06CFB072
      Source: C:\Windows\explorer.exeCode function: 16_2_06D07A6F16_2_06D07A6F
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFFB1F16_2_06CFFB1F
      Source: C:\Windows\explorer.exeCode function: 16_2_06D07B0E16_2_06D07B0E
      Source: C:\Windows\explorer.exeCode function: 16_2_06D0213216_2_06D02132
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFFB2216_2_06CFFB22
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C2D0719_2_051C2D07
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F0D2019_2_050F0D20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C1D5519_2_051C1D55
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512258119_2_05122581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C25DD19_2_051C25DD
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510D5E019_2_0510D5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510841F19_2_0510841F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BD46619_2_051BD466
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051CDFCE19_2_051CDFCE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C1FF119_2_051C1FF1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BD61619_2_051BD616
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05116E3019_2_05116E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C2EF719_2_051C2EF7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FF90019_2_050FF900
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511412019_2_05114120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF19_2_051199BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B100219_2_051B1002
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511A83019_2_0511A830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051CE82419_2_051CE824
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510B09019_2_0510B090
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051220A019_2_051220A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C20A819_2_051C20A8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C28EC19_2_051C28EC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C2B2819_2_051C2B28
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511AB4019_2_0511AB40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512EBB019_2_0512EBB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B03DA19_2_051B03DA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BDBD219_2_051BDBD2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051AFA2B19_2_051AFA2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C22AE19_2_051C22AE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BD8B119_2_007BD8B1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BE89C19_2_007BE89C
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BE1F119_2_007BE1F1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A2D9019_2_007A2D90
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A2D8A19_2_007A2D8A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A9E4019_2_007A9E40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A2FB019_2_007A2FB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCF8319_2_007BCF83
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 050FB150 appears 72 times
      Source: C:\Users\user\Desktop\order.exeCode function: String function: 1E3AB150 appears 54 times
      Source: order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: order.exe, 00000000.00000002.347334794.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
      Source: order.exe, 00000000.00000002.348138525.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs order.exe
      Source: order.exe, 0000000C.00000002.420922926.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs order.exe
      Source: order.exe, 0000000C.00000002.420991234.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs order.exe
      Source: order.exe, 0000000C.00000000.346370402.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
      Source: order.exe, 0000000C.00000002.421651645.000000001E49F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs order.exe
      Source: order.exe, 0000000C.00000002.415954016.00000000000D6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs order.exe
      Source: order.exeBinary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_01
      Source: order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\order.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: order.exeVirustotal: Detection: 22%
      Source: order.exeReversingLabs: Detection: 41%
      Source: unknownProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\order.exeProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'Jump to behavior
      Source: C:\Users\user\Desktop\order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: Binary string: chkdsk.pdbGCTL source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: order.exe, 0000000C.00000002.421351071.000000001E380000.00000040.00000001.sdmp, chkdsk.exe, 00000013.00000002.507166731.00000000050D0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: order.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6008, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6008, type: MEMORY
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_00412675 push eax; ret 0_2_004126B4
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287249 push FFFFFFB9h; retf 0_2_022872AB
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022872BF push FFFFFFB9h; retf 0_2_022872AB
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022872BF push FFFFFFB9h; retf 0_2_022872CA
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022892B0 push dword ptr [edx]; ret 0_2_022892B7
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286FAE push FFFFFFB9h; retf 0_2_02286FB9
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286FCD push FFFFFFB9h; retf 0_2_02286FD8
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3FD0D1 push ecx; ret 12_2_1E3FD0E4
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008E3E6 pushad ; ret 12_2_0008E3E7
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B60A4 push esp; ret 12_2_000B60A8
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B79B8 push es; retf 12_2_000B79BF
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B7AD6 push edi; iretd 12_2_000B7AD7
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B63D0 push ecx; iretd 12_2_000B63D2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCE95 push eax; ret 12_2_000BCEE8
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCEEB push eax; ret 12_2_000BCF52
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCEE2 push eax; ret 12_2_000BCEE8
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCF4C push eax; ret 12_2_000BCF52
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00567249 push FFFFFFB9h; retf 12_2_005672AB
      Source: C:\Windows\explorer.exeCode function: 16_2_06D083E6 pushad ; ret 16_2_06D083E7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0514D0D1 push ecx; ret 19_2_0514D0E4
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B60A4 push esp; ret 19_2_007B60A8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B79B8 push es; retf 19_2_007B79BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B7AD6 push edi; iretd 19_2_007B7AD7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B63D0 push ecx; iretd 19_2_007B63D2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCEEB push eax; ret 19_2_007BCF52
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCEE2 push eax; ret 19_2_007BCEE8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCE95 push eax; ret 19_2_007BCEE8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCF4C push eax; ret 19_2_007BCF52

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED
      Source: C:\Users\user\Desktop\order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000002287CB9 second address: 0000000002287CB9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1FCF53148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov bx, 04F4h 0x00000024 cmp bx, 04F4h 0x00000029 jne 00007FA1FCF4BD76h 0x0000002f popad 0x00000030 jmp 00007FA1FCF5316Ah 0x00000032 cmp bx, bx 0x00000035 cmp dh, ah 0x00000037 add edi, edx 0x00000039 dec dword ptr [ebp+000000F8h] 0x0000003f cmp dl, bl 0x00000041 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000048 jne 00007FA1FCF530E7h 0x0000004a test dl, al 0x0000004c nop 0x0000004d call 00007FA1FCF531DDh 0x00000052 call 00007FA1FCF5315Ah 0x00000057 lfence 0x0000005a mov edx, dword ptr [7FFE0014h] 0x00000060 lfence 0x00000063 ret 0x00000064 mov esi, edx 0x00000066 pushad 0x00000067 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: order.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000002287CB9 second address: 0000000002287CB9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1FCF53148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov bx, 04F4h 0x00000024 cmp bx, 04F4h 0x00000029 jne 00007FA1FCF4BD76h 0x0000002f popad 0x00000030 jmp 00007FA1FCF5316Ah 0x00000032 cmp bx, bx 0x00000035 cmp dh, ah 0x00000037 add edi, edx 0x00000039 dec dword ptr [ebp+000000F8h] 0x0000003f cmp dl, bl 0x00000041 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000048 jne 00007FA1FCF530E7h 0x0000004a test dl, al 0x0000004c nop 0x0000004d call 00007FA1FCF531DDh 0x00000052 call 00007FA1FCF5315Ah 0x00000057 lfence 0x0000005a mov edx, dword ptr [7FFE0014h] 0x00000060 lfence 0x00000063 ret 0x00000064 mov esi, edx 0x00000066 pushad 0x00000067 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000002287CDB second address: 0000000002287CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCD29D0Ch 0x0000001f popad 0x00000020 call 00007FA1FCD29718h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000000567CDB second address: 0000000000567CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCF538ACh 0x0000001f popad 0x00000020 call 00007FA1FCF532B8h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000000567689 second address: 0000000000567689 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr [ebp+64h] 0x00000006 test ch, bh 0x00000008 mov bx, word ptr [edx+00010040h] 0x0000000f cmp al, 0Bh 0x00000011 mov ax, word ptr [eax] 0x00000014 xor ax, cx 0x00000017 xor bx, ax 0x0000001a cmp esi, 54674AF8h 0x00000020 cmp bx, 5A4Dh 0x00000025 je 00007FA1FCD295D4h 0x00000027 jmp 00007FA1FCD295C6h 0x00000029 test ch, FFFFFFA5h 0x0000002c inc cx 0x0000002e jmp 00007FA1FCD29548h 0x00000030 pushad 0x00000031 mov edx, 000000D4h 0x00000036 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000007A98E4 second address: 00000000007A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000007A9B5E second address: 00000000007A9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 rdtsc 0_2_02287738
      Source: C:\Users\user\Desktop\order.exe TID: 5184Thread sleep count: 186 > 30Jump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
      Source: explorer.exe, 00000010.00000000.391821194.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000010.00000002.520456319.00000000068B8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWe_%SystemRoot%\system32\mswsock.dll
      Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
      Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
      Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000010.00000000.396640200.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
      Source: explorer.exe, 00000010.00000000.376117915.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: order.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\order.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,02280914,00000000,00000000,00000000,00000000,?0_2_02287738
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\order.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\order.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\order.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\order.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\order.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\order.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 rdtsc 0_2_02287738
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02284CF3 LdrInitializeThunk,0_2_02284CF3
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286E81 mov eax, dword ptr fs:[00000030h]0_2_02286E81
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022885C3 mov eax, dword ptr fs:[00000030h]0_2_022885C3
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288633 mov eax, dword ptr fs:[00000030h]0_2_02288633
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288603 mov eax, dword ptr fs:[00000030h]0_2_02288603
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228865F mov eax, dword ptr fs:[00000030h]0_2_0228865F
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228868A mov eax, dword ptr fs:[00000030h]0_2_0228868A
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286E83 mov eax, dword ptr fs:[00000030h]0_2_02286E83
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022886CA mov eax, dword ptr fs:[00000030h]0_2_022886CA
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288323 mov eax, dword ptr fs:[00000030h]0_2_02288323
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022843B0 mov eax, dword ptr fs:[00000030h]0_2_022843B0
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283067 mov eax, dword ptr fs:[00000030h]0_2_02283067
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287879 mov eax, dword ptr fs:[00000030h]0_2_02287879
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02282CED mov eax, dword ptr fs:[00000030h]0_2_02282CED
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022830CA mov eax, dword ptr fs:[00000030h]0_2_022830CA
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228252E mov eax, dword ptr fs:[00000030h]0_2_0228252E
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02282D18 mov eax, dword ptr fs:[00000030h]0_2_02282D18
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022885C8 mov eax, dword ptr fs:[00000030h]0_2_022885C8
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]12_2_1E46AE44
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]12_2_1E46AE44
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AE620 mov eax, dword ptr fs:[00000030h]12_2_1E3AE620
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]12_2_1E3DA61C
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]12_2_1E3DA61C
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]12_2_1E3AC600
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]12_2_1E3AC600
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]12_2_1E3AC600
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]12_2_1E3D8E00
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461608 mov eax, dword ptr fs:[00000030h]12_2_1E461608
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]12_2_1E3CAE73
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]12_2_1E3CAE73
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]12_2_1E3CAE73
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]12_2_1E3CAE73
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]12_2_1E3CAE73
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B766D mov eax, dword ptr fs:[00000030h]12_2_1E3B766D
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45FE3F mov eax, dword ptr fs:[00000030h]12_2_1E45FE3F
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]12_2_1E3B7E41
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]12_2_1E3B7E41
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]12_2_1E3B7E41
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]12_2_1E3B7E41
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]12_2_1E3B7E41
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]12_2_1E3B7E41
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]12_2_1E45FEC0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478ED6 mov eax, dword ptr fs:[00000030h]12_2_1E478ED6
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43FE87 mov eax, dword ptr fs:[00000030h]12_2_1E43FE87
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]12_2_1E3B76E2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]12_2_1E3D16E0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]12_2_1E470EA5
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]12_2_1E470EA5
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]12_2_1E470EA5
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4246A7 mov eax, dword ptr fs:[00000030h]12_2_1E4246A7
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D36CC mov eax, dword ptr fs:[00000030h]12_2_1E3D36CC
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]12_2_1E3E8EC7
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DE730 mov eax, dword ptr fs:[00000030h]12_2_1E3DE730
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]12_2_1E3A4F2E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]12_2_1E3A4F2E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CF716 mov eax, dword ptr fs:[00000030h]12_2_1E3CF716
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478F6A mov eax, dword ptr fs:[00000030h]12_2_1E478F6A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]12_2_1E3DA70E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]12_2_1E3DA70E
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]12_2_1E47070D
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]12_2_1E47070D
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]12_2_1E43FF10
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]12_2_1E43FF10
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]12_2_1E3BFF60
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]12_2_1E3BEF40
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B8794 mov eax, dword ptr fs:[00000030h]12_2_1E3B8794
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]12_2_1E3E37F5
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]12_2_1E427794
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]12_2_1E427794
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]12_2_1E427794
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]12_2_1E3DBC2C
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]12_2_1E43C450
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]12_2_1E43C450
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]12_2_1E461C06
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]12_2_1E426C0A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]12_2_1E426C0A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]12_2_1E426C0A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]12_2_1E426C0A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]12_2_1E47740D
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]12_2_1E47740D
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]12_2_1E47740D
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C746D mov eax, dword ptr fs:[00000030h]12_2_1E3C746D
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA44B mov eax, dword ptr fs:[00000030h]12_2_1E3DA44B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478CD6 mov eax, dword ptr fs:[00000030h]12_2_1E478CD6
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B849B mov eax, dword ptr fs:[00000030h]12_2_1E3B849B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]12_2_1E426CF0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]12_2_1E426CF0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]12_2_1E426CF0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4614FB mov eax, dword ptr fs:[00000030h]12_2_1E4614FB
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E423540 mov eax, dword ptr fs:[00000030h]12_2_1E423540
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E453D40 mov eax, dword ptr fs:[00000030h]12_2_1E453D40
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]12_2_1E3D4D3B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]12_2_1E3D4D3B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]12_2_1E3D4D3B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]12_2_1E3AAD30
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]12_2_1E3B3D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]12_2_1E3CC577
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]12_2_1E3CC577
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]12_2_1E3C7D50
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478D34 mov eax, dword ptr fs:[00000030h]12_2_1E478D34
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E42A537 mov eax, dword ptr fs:[00000030h]12_2_1E42A537
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]12_2_1E3E3D43
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46E539 mov eax, dword ptr fs:[00000030h]12_2_1E46E539
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]12_2_1E3D1DB5
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]12_2_1E3D1DB5
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]12_2_1E3D1DB5
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]12_2_1E426DC9
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]12_2_1E426DC9
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]12_2_1E426DC9
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]12_2_1E426DC9
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]12_2_1E426DC9
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]12_2_1E426DC9
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]12_2_1E3D35A1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]12_2_1E46FDE2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]12_2_1E46FDE2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]12_2_1E46FDE2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]12_2_1E46FDE2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]12_2_1E3DFD9B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]