Loading ...

Play interactive tourEdit tour

Analysis Report order.exe

Overview

General Information

Sample Name:order.exe
Analysis ID:320634
MD5:27d7951ec430f93458370a00272d823d
SHA1:195eef585ef2307027df1ff05678ea2be23ae25e
SHA256:306d4c4068a82c3c744c534054536b99a0887d71f194a0dcb689bfea9fd0e0f3
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\order.exe' MD5: 27D7951EC430F93458370A00272D823D)
    • order.exe (PID: 6008 cmdline: 'C:\Users\user\Desktop\order.exe' MD5: 27D7951EC430F93458370A00272D823D)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 4888 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5336 cmdline: /c del 'C:\Users\user\Desktop\order.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x3034:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: order.exeVirustotal: Detection: 22%Perma Link
      Source: order.exeReversingLabs: Detection: 41%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS traffic detected: queries for: pilatescollective.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000010.00000002.520398234.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: order.exe, 0000000C.00000002.415980723.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://pilatescollective.com/meantunde/komyydor_NMWgNRCNBM31.bin
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: order.exe, 00000000.00000002.347850855.00000000006BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: order.exe
      Source: C:\Users\user\Desktop\order.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288E45 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280ABA NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286E81 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280769 EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280C12 NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022885C3 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283A2A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283E16 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283A77 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02285243 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283A8D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283EF2 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283ADB NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283F22 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02289332 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283B1A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283F62 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283B7E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022837A9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02285796 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022837E7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287BC8 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283BD9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280873 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228384E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283C4E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280856 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022838AA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022838FA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283CCA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022808C3 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228091B NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283D17 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02280960 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228097A NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283D5F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022839A4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022839F6 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E95D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E96D0 NtCreateKey,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EA710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EA770 NtOpenThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9760 NtOpenProcess,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9FE0 NtCreateMutant,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EAD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9560 NtWriteFile,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E95F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A10 NtQuerySection,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EA3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3EB040 NtSuspendThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E9950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E99D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056940A NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00564532 Sleep,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005685C3 LdrInitializeThunk,NtSetInformationThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00568E45 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00563249 CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005646B4 LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560ABA NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560769 EnumWindows,LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056330B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00567738 LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560856 LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569446 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560873 LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056947E NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569862 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569410 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056143E NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056983A NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005698D4 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005608C3 LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005694F3 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005694B6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005614A6 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005698A3 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569972 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056097A LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00560960 LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056956E NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056091B LdrInitializeThunk,NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056990A NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569932 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005645D1 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005695CE NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005699F0 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005699A6 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569670 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056467E LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056467A LdrInitializeThunk,NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056461F NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569603 NtSetInformationThread,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00569A22 NtSetInformationThread,
      Source: C:\Windows\explorer.exeCode function: 16_2_06D04A32 NtCreateFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051395D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051396D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051396E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051399A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139560 NtWriteFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051395F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051397A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051399D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051398A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051398F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0513A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05139A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9D40 NtCreateFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9DF0 NtReadFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9E70 NtClose,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9F20 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9D3B NtCreateFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9DEA NtReadFile,
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B9F1A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C6E30
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46D616
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E472EF7
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47DFCE
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E471FF1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46D466
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B841F
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E471D55
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A0D20
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E472D07
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4725DD
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2581
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BD5E0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45FA2B
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4722AE
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E472B28
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAB40
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DEBB0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46DBD2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4603DA
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA830
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461002
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47E824
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A0
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BB090
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4728EC
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4720A8
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C4120
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AF900
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00081069
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00089862
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00081072
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00082CEC
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00082CF2
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00088132
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008AA32
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00085B1F
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00085B22
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BE89C
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BD8B1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BE1F1
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A2D8A
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A2D90
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A9E40
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCF83
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000A2FB0
      Source: C:\Windows\explorer.exeCode function: 16_2_06D04A32
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFCCEC
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFCCF2
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFB069
      Source: C:\Windows\explorer.exeCode function: 16_2_06D03862
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFB072
      Source: C:\Windows\explorer.exeCode function: 16_2_06D07A6F
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFFB1F
      Source: C:\Windows\explorer.exeCode function: 16_2_06D07B0E
      Source: C:\Windows\explorer.exeCode function: 16_2_06D02132
      Source: C:\Windows\explorer.exeCode function: 16_2_06CFFB22
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C2D07
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F0D20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C1D55
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05122581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C25DD
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510D5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510841F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BD466
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051CDFCE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C1FF1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BD616
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05116E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C2EF7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FF900
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05114120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1002
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511A830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051CE824
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510B090
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051220A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C20A8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C28EC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C2B28
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511AB40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512EBB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B03DA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BDBD2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051AFA2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C22AE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BD8B1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BE89C
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BE1F1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A2D90
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A2D8A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A9E40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007A2FB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCF83
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 050FB150 appears 72 times
      Source: C:\Users\user\Desktop\order.exeCode function: String function: 1E3AB150 appears 54 times
      Source: order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: order.exe, 00000000.00000002.347334794.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
      Source: order.exe, 00000000.00000002.348138525.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs order.exe
      Source: order.exe, 0000000C.00000002.420922926.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs order.exe
      Source: order.exe, 0000000C.00000002.420991234.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs order.exe
      Source: order.exe, 0000000C.00000000.346370402.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
      Source: order.exe, 0000000C.00000002.421651645.000000001E49F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs order.exe
      Source: order.exe, 0000000C.00000002.415954016.00000000000D6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs order.exe
      Source: order.exeBinary or memory string: OriginalFilenamePENGESEDLERS.exe vs order.exe
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_01
      Source: order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\order.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: order.exeVirustotal: Detection: 22%
      Source: order.exeReversingLabs: Detection: 41%
      Source: unknownProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\order.exeProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'
      Source: C:\Users\user\Desktop\order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
      Source: Binary string: chkdsk.pdbGCTL source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: order.exe, 0000000C.00000002.415942202.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: order.exe, 0000000C.00000002.421351071.000000001E380000.00000040.00000001.sdmp, chkdsk.exe, 00000013.00000002.507166731.00000000050D0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: order.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.403086058.000000000E6F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6008, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6008, type: MEMORY
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_00412675 push eax; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287249 push FFFFFFB9h; retf
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022872BF push FFFFFFB9h; retf
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022872BF push FFFFFFB9h; retf
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022892B0 push dword ptr [edx]; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286FAE push FFFFFFB9h; retf
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286FCD push FFFFFFB9h; retf
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3FD0D1 push ecx; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0008E3E6 pushad ; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B60A4 push esp; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B79B8 push es; retf
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B7AD6 push edi; iretd
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000B63D0 push ecx; iretd
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCE95 push eax; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCEEB push eax; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCEE2 push eax; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_000BCF4C push eax; ret
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00567249 push FFFFFFB9h; retf
      Source: C:\Windows\explorer.exeCode function: 16_2_06D083E6 pushad ; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0514D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B60A4 push esp; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B79B8 push es; retf
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B7AD6 push edi; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007B63D0 push ecx; iretd
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCEEB push eax; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCEE2 push eax; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCE95 push eax; ret
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_007BCF4C push eax; ret

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xED
      Source: C:\Users\user\Desktop\order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\order.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000002287CB9 second address: 0000000002287CB9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1FCF53148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov bx, 04F4h 0x00000024 cmp bx, 04F4h 0x00000029 jne 00007FA1FCF4BD76h 0x0000002f popad 0x00000030 jmp 00007FA1FCF5316Ah 0x00000032 cmp bx, bx 0x00000035 cmp dh, ah 0x00000037 add edi, edx 0x00000039 dec dword ptr [ebp+000000F8h] 0x0000003f cmp dl, bl 0x00000041 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000048 jne 00007FA1FCF530E7h 0x0000004a test dl, al 0x0000004c nop 0x0000004d call 00007FA1FCF531DDh 0x00000052 call 00007FA1FCF5315Ah 0x00000057 lfence 0x0000005a mov edx, dword ptr [7FFE0014h] 0x00000060 lfence 0x00000063 ret 0x00000064 mov esi, edx 0x00000066 pushad 0x00000067 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\order.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: order.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000002287CB9 second address: 0000000002287CB9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1FCF53148h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pushad 0x00000020 mov bx, 04F4h 0x00000024 cmp bx, 04F4h 0x00000029 jne 00007FA1FCF4BD76h 0x0000002f popad 0x00000030 jmp 00007FA1FCF5316Ah 0x00000032 cmp bx, bx 0x00000035 cmp dh, ah 0x00000037 add edi, edx 0x00000039 dec dword ptr [ebp+000000F8h] 0x0000003f cmp dl, bl 0x00000041 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000048 jne 00007FA1FCF530E7h 0x0000004a test dl, al 0x0000004c nop 0x0000004d call 00007FA1FCF531DDh 0x00000052 call 00007FA1FCF5315Ah 0x00000057 lfence 0x0000005a mov edx, dword ptr [7FFE0014h] 0x00000060 lfence 0x00000063 ret 0x00000064 mov esi, edx 0x00000066 pushad 0x00000067 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000002287CDB second address: 0000000002287CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCD29D0Ch 0x0000001f popad 0x00000020 call 00007FA1FCD29718h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000000567CDB second address: 0000000000567CDB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1FCF538ACh 0x0000001f popad 0x00000020 call 00007FA1FCF532B8h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000000567689 second address: 0000000000567689 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, dword ptr [ebp+64h] 0x00000006 test ch, bh 0x00000008 mov bx, word ptr [edx+00010040h] 0x0000000f cmp al, 0Bh 0x00000011 mov ax, word ptr [eax] 0x00000014 xor ax, cx 0x00000017 xor bx, ax 0x0000001a cmp esi, 54674AF8h 0x00000020 cmp bx, 5A4Dh 0x00000025 je 00007FA1FCD295D4h 0x00000027 jmp 00007FA1FCD295C6h 0x00000029 test ch, FFFFFFA5h 0x0000002c inc cx 0x0000002e jmp 00007FA1FCD29548h 0x00000030 pushad 0x00000031 mov edx, 000000D4h 0x00000036 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\order.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000007A98E4 second address: 00000000007A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000007A9B5E second address: 00000000007A9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 rdtsc
      Source: C:\Users\user\Desktop\order.exe TID: 5184Thread sleep count: 186 > 30
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 00000010.00000000.399402456.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
      Source: explorer.exe, 00000010.00000000.391821194.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000010.00000002.520456319.00000000068B8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWe_%SystemRoot%\system32\mswsock.dll
      Source: explorer.exe, 00000010.00000000.399663925.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
      Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
      Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000010.00000000.396640200.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
      Source: explorer.exe, 00000010.00000000.376117915.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: order.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000010.00000002.519599048.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\order.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,02280914,00000000,00000000,00000000,00000000,?
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\order.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\order.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\order.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\order.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\order.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\order.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287738 rdtsc
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02284CF3 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286E81 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022885C3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288633 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288603 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228865F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228868A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02286E83 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022886CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02288323 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022843B0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02283067 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02287879 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02282CED mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022830CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_0228252E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_02282D18 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 0_2_022885C8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E470EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4246A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E461C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E47740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4614FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E423540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E453D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E42A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E426DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E458DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4705AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E434257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E478B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4253CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E45D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E46138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E475BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3BB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E471074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E462073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E474015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E427016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3E90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E423884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3A9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4341E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3D2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3DA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3CC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4649A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4269A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_1E4251BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005630CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005685C3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00567879 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00562CED mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056252E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_005685C8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056865F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00568603 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_00568633 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0517A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05103D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C8D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05124D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FAD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05117D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05133D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05173540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051A3D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F2D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05122581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05121DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C05AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051235A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051A8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0518C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0518C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C8CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05176CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0518FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0518FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05177794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05108794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051337F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05128E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051AFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05107E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051BAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0510766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0518FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051746A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051C8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05138EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051AFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051236CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051216E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051076E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050F9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05114120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05114120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_05122990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0511C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_0512A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051751BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051199BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051769A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051261A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051261A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051B49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_050FB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 19_2_051841E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\order.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\order.exeCode function: 12_2_0056330B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\order.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\order.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\order.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\order.exeThread register set: target process: 3292
      Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3292
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\order.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\order.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: A20000
      Source: C:\Users\user\Desktop\order.exeProcess created: C:\Users\user\Desktop\order.exe 'C:\Users\user\Desktop\order.exe'
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\order.exe'
      Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
      Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000010.00000000.376117915.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
      Source: explorer.exe, 00000010.00000000.376512460.0000000001400000.00000002.00000001.sdmp, chkdsk.exe, 00000013.00000002.508725687.0000000006560000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000010.00000000.399496745.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: order.exe PID: 6008, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: chkdsk.exe PID: 4888, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection412Rootkit1Credential API Hooking1Security Software Discovery621Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion22Input Capture1Virtualization/Sandbox Evasion22Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection412Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      order.exe22%VirustotalBrowse
      order.exe42%ReversingLabsWin32.Trojan.Vebzenpak

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      pilatescollective.com
      192.185.152.65
      truefalse
        high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000010.00000002.520398234.0000000006870000.00000004.00000001.sdmpfalse
          high
          http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
            high
            http://www.fontbureau.comexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designersGexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designers/?explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://pilatescollective.com/meantunde/komyydor_NMWgNRCNBM31.binorder.exe, 0000000C.00000002.415980723.0000000000560000.00000040.00000001.sdmpfalse
                    high
                    http://www.fontbureau.com/designers?explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                      high
                      http://www.tiro.comexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designersexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                        high
                        http://www.goodfont.co.krexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.carterandcone.comlexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.comexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.typography.netDexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://fontfabrik.comexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cnexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                            high
                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers8explorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                              high
                              http://www.fonts.comexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                                high
                                http://www.sandoll.co.krexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.urwpp.deDPleaseexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.zhongyicts.com.cnexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sakkal.comexplorer.exe, 00000010.00000000.402378328.000000000BE76000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                192.185.152.65
                                unknownUnited States
                                46606UNIFIEDLAYER-AS-1USfalse

                                General Information

                                Joe Sandbox Version:31.0.0 Red Diamond
                                Analysis ID:320634
                                Start date:19.11.2020
                                Start time:16:08:34
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 14s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:order.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:25
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.evad.winEXE@7/0@1/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 20.7% (good quality ratio 17.9%)
                                • Quality average: 69.1%
                                • Quality standard deviation: 33.4%
                                HCA Information:
                                • Successful, ratio: 93%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • TCP Packets have been reduced to 100
                                • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 23.210.248.85, 51.104.144.132, 2.20.142.209, 2.20.142.210, 8.253.95.121, 8.253.95.249, 8.253.95.120, 8.241.122.126, 67.26.81.254, 40.67.251.132, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.139.180
                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                UNIFIEDLAYER-AS-1USDocumentation.478396766.docGet hashmaliciousBrowse
                                • 162.241.44.26
                                8OP0MEmSDd.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                Information-478224510.docGet hashmaliciousBrowse
                                • 192.232.229.53
                                ZcmAPc4xeE.dllGet hashmaliciousBrowse
                                • 162.241.44.26
                                7aKeSIV5Cu.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                qRMGCk1u96.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                qAm7u8G4lM.exeGet hashmaliciousBrowse
                                • 192.185.138.193
                                AWB# 9284730932.exeGet hashmaliciousBrowse
                                • 192.185.170.106
                                Document3327.xlsbGet hashmaliciousBrowse
                                • 198.57.244.39
                                POSH XANADU Order-SP-20093000-xlxs.xlsxGet hashmaliciousBrowse
                                • 192.185.144.204
                                dVcML4Zl0J.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                JTWtIx6ADf.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                yrV5qWOmi3.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                bGtm3bQKUj.exeGet hashmaliciousBrowse
                                • 192.185.41.224
                                http://sanwhyl.seclenght.ml/whelst/8728WKEE_773_JDG833.htmlGet hashmaliciousBrowse
                                • 162.214.72.58
                                https://app.box.com/s/frm9cufh9ljwjmsdcrv6gioilzlttstrGet hashmaliciousBrowse
                                • 162.241.41.34
                                https://pornshare.cyou/mnbvcgh/loiuhgf/Get hashmaliciousBrowse
                                • 162.241.143.221
                                Invoice_99012_476904.xlsmGet hashmaliciousBrowse
                                • 192.232.229.53
                                Invoice_37081_761967.xlsmGet hashmaliciousBrowse
                                • 162.241.44.26
                                https://juicytatesful.com/re/Get hashmaliciousBrowse
                                • 162.241.126.121

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                37f463bf4616ecd445d4a1937da06e19http://45.95.168.116Get hashmaliciousBrowse
                                • 192.185.152.65
                                https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                • 192.185.152.65
                                https://carolearmstrongrealestate.com/wpe/14ea332d0684051d9fef033a5f1607dd?usr=cnBlbmRsZXRvbkBkYXRlc3dlaXNlci5jb20=Get hashmaliciousBrowse
                                • 192.185.152.65
                                dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                https://prod.dfg152.ru/activate?key=23696252760045174930Get hashmaliciousBrowse
                                • 192.185.152.65
                                dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                BYRkah8GsZ.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                • 192.185.152.65
                                splwow64.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                NyUnwsFSCa.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                • 192.185.152.65
                                AWB# 9284730932.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                • 192.185.152.65
                                https://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                • 192.185.152.65
                                doc2227740.xlsGet hashmaliciousBrowse
                                • 192.185.152.65
                                d11311145.xlsGet hashmaliciousBrowse
                                • 192.185.152.65
                                Original Shipment Document.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                • 192.185.152.65
                                MV GRAN LOBO 008.xlsxGet hashmaliciousBrowse
                                • 192.185.152.65
                                http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examplesGet hashmaliciousBrowse
                                • 192.185.152.65

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):5.4399922873178586
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:order.exe
                                File size:86016
                                MD5:27d7951ec430f93458370a00272d823d
                                SHA1:195eef585ef2307027df1ff05678ea2be23ae25e
                                SHA256:306d4c4068a82c3c744c534054536b99a0887d71f194a0dcb689bfea9fd0e0f3
                                SHA512:babb2fb36ce35e3217662d5357909864be5b88b4ab7770eb6b2f8e5340bb2d0c8f42d3d8296a4615d9275df71cf4e3782c01bedae9306ce5e3db37d0e2d894e7
                                SSDEEP:768:y8vtiO7Y7AqC2tw9XFRSZzjIQVPVJwukLqjYA7H3KAp26y/fT9UT3rvvJ57p2GAs:GslqgJuZzwZ2YA7lps/fTaT3d5t2Gd
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....[._................. ...0...............0....@................

                                File Icon

                                Icon Hash:20047c7c70f0e004

                                Static PE Info

                                General

                                Entrypoint:0x4016d8
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                DLL Characteristics:
                                Time Stamp:0x5FB45BC5 [Tue Nov 17 23:24:53 2020 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:1df1cc653eca0e7ef0f1b96ca8b2c716

                                Entrypoint Preview

                                Instruction
                                push 00401880h
                                call 00007FA1FCA14093h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                inc eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dh, dl
                                xor dh, byte ptr [ecx-05h]
                                dec esi
                                xlatb
                                inc eax
                                mov dh, D7h
                                dec ecx
                                and al, byte ptr [ebx-75h]
                                int3
                                sub eax, 00000000h
                                add byte ptr [eax], al
                                add dword ptr [eax], eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                call 00007FA265A43E34h
                                insd
                                insd
                                jne 00007FA1FCA14110h
                                bound ebp, dword ptr [ecx+6Fh]
                                insb
                                outsd
                                imul eax, dword ptr [bx+si], 00004108h
                                add byte ptr [eax], al
                                add bh, bh
                                int3
                                xor dword ptr [eax], eax
                                add byte ptr [ebp-0171FB81h], bh
                                xchg byte ptr [eax+44h], dl
                                xchg eax, ebp
                                adc al, 60h
                                bound esi, dword ptr [esi]
                                sbb ch, byte ptr [edi-4Ch]
                                mov dword ptr [B81D217Fh], eax
                                inc esi
                                fld qword ptr [ecx-65h]
                                xor eax, dword ptr [edx+ecx*8]

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x127640x28.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000x8f8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x148.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x11cb40x12000False0.413072374132data5.87967600882IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .data0x130000x11f80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x150000x8f80x1000False0.16650390625data1.94842215904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x157c80x130data
                                RT_ICON0x154e00x2e8data
                                RT_ICON0x153b80x128GLS_BINARY_LSB_FIRST
                                RT_GROUP_ICON0x153880x30data
                                RT_VERSION0x151500x238dataItalianItaly

                                Imports

                                DLLImport
                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaI2I4, __vbaObjVar, __vbaCastObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaI2Var, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaVarSetObj, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                Version Infos

                                DescriptionData
                                Translation0x0410 0x04b0
                                InternalNamePENGESEDLERS
                                FileVersion2.00
                                CompanyNameKTS Division
                                ProductNameKTS Division
                                ProductVersion2.00
                                OriginalFilenamePENGESEDLERS.exe

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                ItalianItaly

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 19, 2020 16:10:29.722503901 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:29.856817007 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:29.856966019 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:29.928909063 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.063019037 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.065047979 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.065067053 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.065084934 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.065140963 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.065181971 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.153759956 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.288382053 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.288482904 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.308345079 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.450371027 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450412035 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450459957 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450503111 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450540066 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450573921 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.450577974 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450618029 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450633049 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.450654984 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450664997 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.450695038 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450735092 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.450751066 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.450779915 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585038900 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585112095 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585174084 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585206032 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585227966 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585248947 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585268974 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585314989 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585391998 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585411072 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585458994 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585499048 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585520029 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585555077 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585599899 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585607052 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585623026 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585637093 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585664988 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585678101 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585695982 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585719109 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585767984 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585772038 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585813046 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585851908 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585874081 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585891962 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585927010 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585932016 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.585968971 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.585988045 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.586002111 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.586045980 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720097065 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720124960 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720138073 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720149994 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720168114 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720185041 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720201015 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720221043 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720232010 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720241070 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720258951 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720273018 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720277071 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720294952 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720304966 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720309973 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720321894 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720326900 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720345020 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720355988 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720365047 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720382929 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720387936 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720398903 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720413923 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720417023 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720434904 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720446110 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720451117 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720468044 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720482111 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720484972 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720496893 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720504999 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720524073 CET44349735192.185.152.65192.168.2.7
                                Nov 19, 2020 16:10:30.720532894 CET49735443192.168.2.7192.185.152.65
                                Nov 19, 2020 16:10:30.720541000 CET44349735192.185.152.65192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 19, 2020 16:09:27.216279030 CET6456953192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:27.243526936 CET53645698.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:28.402092934 CET5281653192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:28.429184914 CET53528168.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:29.210594893 CET5078153192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:29.237651110 CET53507818.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:30.185095072 CET5423053192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:30.212181091 CET53542308.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:30.999819994 CET5491153192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:31.026719093 CET53549118.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:33.333143950 CET4995853192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:33.360455036 CET53499588.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:34.001728058 CET5086053192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:34.028850079 CET53508608.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:34.699845076 CET5045253192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:34.726861954 CET53504528.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:35.857800961 CET5973053192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:35.884846926 CET53597308.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:36.667138100 CET5931053192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:36.694262981 CET53593108.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:37.469588041 CET5191953192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:37.496702909 CET53519198.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:38.819951057 CET6429653192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:38.847021103 CET53642968.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:39.778434992 CET5668053192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:39.805607080 CET53566808.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:40.843888998 CET5882053192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:40.870883942 CET53588208.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:41.153567076 CET6098353192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:41.190642118 CET53609838.8.8.8192.168.2.7
                                Nov 19, 2020 16:09:54.688739061 CET4924753192.168.2.78.8.8.8
                                Nov 19, 2020 16:09:54.715738058 CET53492478.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:12.328078985 CET5228653192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:12.365240097 CET53522868.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:12.419054031 CET5606453192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:12.447438955 CET53560648.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:13.494297981 CET6374453192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:13.529934883 CET53637448.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:29.528084040 CET6145753192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:29.688904047 CET53614578.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:30.412384987 CET5836753192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:30.448786020 CET53583678.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:31.190339088 CET6059953192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:31.225877047 CET53605998.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:31.666188002 CET5957153192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:31.702122927 CET53595718.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:31.998749971 CET5268953192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:32.034329891 CET53526898.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:32.363002062 CET5029053192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:32.398730993 CET53502908.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:32.803275108 CET6042753192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:32.838673115 CET53604278.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:33.277318954 CET5620953192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:33.312941074 CET53562098.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:33.842154026 CET5958253192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:33.886010885 CET53595828.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:34.141244888 CET6094953192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:34.177592993 CET53609498.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:35.192492962 CET5854253192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:35.228383064 CET53585428.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:35.603569984 CET5917953192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:35.607846022 CET6092753192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:35.641298056 CET53591798.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:35.643095970 CET53609278.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:55.682343006 CET5785453192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:55.717895031 CET53578548.8.8.8192.168.2.7
                                Nov 19, 2020 16:10:58.994088888 CET6202653192.168.2.78.8.8.8
                                Nov 19, 2020 16:10:59.021248102 CET53620268.8.8.8192.168.2.7
                                Nov 19, 2020 16:11:15.196707964 CET5945353192.168.2.78.8.8.8
                                Nov 19, 2020 16:11:15.223814011 CET53594538.8.8.8192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Nov 19, 2020 16:10:29.528084040 CET192.168.2.78.8.8.80x81deStandard query (0)pilatescollective.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Nov 19, 2020 16:10:29.688904047 CET8.8.8.8192.168.2.70x81deNo error (0)pilatescollective.com192.185.152.65A (IP address)IN (0x0001)

                                HTTPS Packets

                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                Nov 19, 2020 16:10:30.065084934 CET192.185.152.65443192.168.2.749735CN=www.pilatescollective.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Nov 06 01:22:43 CET 2020 Thu Mar 17 17:40:46 CET 2016Thu Feb 04 01:22:43 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                Code Manipulations

                                User Modules

                                Hook Summary

                                Function NameHook TypeActive in Processes
                                PeekMessageAINLINEexplorer.exe
                                PeekMessageWINLINEexplorer.exe
                                GetMessageWINLINEexplorer.exe
                                GetMessageAINLINEexplorer.exe

                                Processes

                                Process: explorer.exe, Module: user32.dll
                                Function NameHook TypeNew Data
                                PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xED
                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xED
                                GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xED
                                GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xED

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Start time:16:09:28
                                Start date:19/11/2020
                                Path:C:\Users\user\Desktop\order.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\order.exe'
                                Imagebase:0x400000
                                File size:86016 bytes
                                MD5 hash:27D7951EC430F93458370A00272D823D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Visual Basic
                                Reputation:low

                                General

                                Start time:16:10:18
                                Start date:19/11/2020
                                Path:C:\Users\user\Desktop\order.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\order.exe'
                                Imagebase:0x400000
                                File size:86016 bytes
                                MD5 hash:27D7951EC430F93458370A00272D823D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.415907039.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.421125890.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                General

                                Start time:16:10:32
                                Start date:19/11/2020
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:
                                Imagebase:0x7ff662bf0000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:16:10:47
                                Start date:19/11/2020
                                Path:C:\Windows\SysWOW64\chkdsk.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                Imagebase:0xa20000
                                File size:23040 bytes
                                MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.506645902.0000000004EC0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000002.506407898.0000000004C35000.00000004.00000020.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.505278996.00000000007A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000002.508528778.00000000055FF000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.506547005.0000000004E90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                General

                                Start time:16:10:52
                                Start date:19/11/2020
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del 'C:\Users\user\Desktop\order.exe'
                                Imagebase:0x870000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Start time:16:10:52
                                Start date:19/11/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff774ee0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Code Analysis

                                Reset < >