Loading ...

Play interactive tourEdit tour

Analysis Report 28New Order -YJ-1906-1933.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:151573
Start date:12.07.2019
Start time:11:02:51
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:28New Order -YJ-1906-1933.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@9/2@2/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 51.9% (good quality ratio 51.1%)
  • Quality average: 94.5%
  • Quality standard deviation: 16.7%
HCA Information:
  • Successful, ratio: 91%
  • Number of executed functions: 192
  • Number of non-executed functions: 50
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 8.247.209.254, 8.253.208.120, 67.27.150.254, 8.247.209.126, 8.248.5.254, 93.184.221.240
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation111Registry Run Keys / Startup Folder1Access Token Manipulation1Software Packing31Credential Dumping2System Time Discovery1Remote File Copy2Data from Local System2Data Encrypted1Remote File Copy2
Replication Through Removable MediaExecution through API1Port MonitorsProcess Injection1Disabling Security Tools1Credentials in Files1Account Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery51Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Information Discovery123Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection1Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption
Hardware AdditionsPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Network Configuration Discovery1Taint Shared ContentAudio CaptureConnection Proxy

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 28New Order -YJ-1906-1933.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 11.2.newapp.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 10.2.newapp.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.28New Order -YJ-1906-1933.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 2.2.28New Order -YJ-1906-1933.exe.400000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 12.2.newapp.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.28New Order -YJ-1906-1933.exe.60000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 2.0.28New Order -YJ-1906-1933.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.0.28New Order -YJ-1906-1933.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 10.0.newapp.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 10.2.newapp.exe.60000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 11.0.newapp.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 12.0.newapp.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 12.2.newapp.exe.2220000.1.unpackAvira: Label: TR/Dropper.Gen
Source: 9.2.newapp.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 9.0.newapp.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 11.2.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 10.2.newapp.exe.400000.1.unpackJoe Sandbox ML: detected
Source: 10.1.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.2.28New Order -YJ-1906-1933.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 2.2.28New Order -YJ-1906-1933.exe.400000.1.unpackJoe Sandbox ML: detected
Source: 10.2.newapp.exe.2a56000.2.unpackJoe Sandbox ML: detected
Source: 12.2.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 2.2.28New Order -YJ-1906-1933.exe.60000.0.unpackJoe Sandbox ML: detected
Source: 12.1.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 9.1.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 2.1.28New Order -YJ-1906-1933.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 2.0.28New Order -YJ-1906-1933.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.0.28New Order -YJ-1906-1933.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 0.1.28New Order -YJ-1906-1933.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 10.0.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 10.2.newapp.exe.60000.0.unpackJoe Sandbox ML: detected
Source: 11.1.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 11.0.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 2.2.28New Order -YJ-1906-1933.exe.2a36000.2.unpackJoe Sandbox ML: detected
Source: 12.2.newapp.exe.2b36000.2.unpackJoe Sandbox ML: detected
Source: 12.0.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 12.2.newapp.exe.2220000.1.unpackJoe Sandbox ML: detected
Source: 9.2.newapp.exe.400000.0.unpackJoe Sandbox ML: detected
Source: 9.0.newapp.exe.400000.0.unpackJoe Sandbox ML: detected

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 52.202.139.131 52.202.139.131
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_0011A186 recv,2_2_0011A186
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015354762.00000000006FE000.00000004.00000020.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015354762.00000000006FE000.00000004.00000020.sdmpString found in binary or memory: MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015354762.00000000006FE000.00000004.00000020.sdmpString found in binary or memory: MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 3658 equals www.hotmail.com (Hotmail)
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: qGFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: checkip.amazonaws.com
Urls found in memory or binary dataShow sources
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
Source: newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.comx&
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015354762.00000000006FE000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015354762.00000000006FE000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico96
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/D
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/P
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/D
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/P
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dsl
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpD
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.phpP
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/D
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017288911.0000000006D90000.00000004.00000001.sdmp, newapp.exe, 0000000A.00000002.1024285053.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/P

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 28New Order -YJ-1906-1933.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD0B8D NtProtectVirtualMemory,0_2_02FD0B8D
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD0D4E NtSetContextThread,0_2_02FD0D4E
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F0B8D NtProtectVirtualMemory,2_2_004F0B8D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_02310D4E NtSetContextThread,9_2_02310D4E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_02310B8D NtProtectVirtualMemory,9_2_02310B8D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_00580B8D NtProtectVirtualMemory,10_2_00580B8D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09160476 NtQuerySystemInformation,10_2_09160476
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09160445 NtQuerySystemInformation,10_2_09160445
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_02320D4E NtSetContextThread,11_2_02320D4E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_02320B8D NtProtectVirtualMemory,11_2_02320B8D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C0B8D NtProtectVirtualMemory,12_2_021C0B8D
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00402DC40_2_00402DC4
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD40130_2_02FD4013
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD1DA10_2_02FD1DA1
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD3F9E0_2_02FD3F9E
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004060F02_2_004060F0
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004061592_2_00406159
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_0040A5702_2_0040A570
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004107A52_2_004107A5
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00405A802_2_00405A80
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00402AB02_2_00402AB0
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00405D602_2_00405D60
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00409E702_2_00409E70
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_0040AE0F2_2_0040AE0F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_0040BE302_2_0040BE30
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F40132_2_004F4013
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F3F9E2_2_004F3F9E
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F1DA12_2_004F1DA1
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF683D2_2_08EF683D
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EFA1142_2_08EFA114
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF3A482_2_08EF3A48
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF4C002_2_08EF4C00
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF3E122_2_08EF3E12
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF78C42_2_08EF78C4
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF802D2_2_08EF802D
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EFA1BB2_2_08EFA1BB
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF52A12_2_08EF52A1
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF3A382_2_08EF3A38
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF4BF02_2_08EF4BF0
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF8B9E2_2_08EF8B9E
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF53352_2_08EF5335
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF7D3C2_2_08EF7D3C
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF56E22_2_08EF56E2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_023140139_2_02314013
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_02311DA19_2_02311DA1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_02313F9E9_2_02313F9E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0058401310_2_00584013
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_00583F9E10_2_00583F9E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_00581DA110_2_00581DA1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901A11410_2_0901A114
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901683D10_2_0901683D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09013A4810_2_09013A48
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09014C0010_2_09014C00
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09013E1310_2_09013E13
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901A1BB10_2_0901A1BB
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901802D10_2_0901802D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_090178C410_2_090178C4
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901533510_2_09015335
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09018B9E10_2_09018B9E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09014BF010_2_09014BF0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09013A3810_2_09013A38
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_090152A110_2_090152A1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09017D3C10_2_09017D3C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901683D10_2_0901683D
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_090157F810_2_090157F8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901560610_2_09015606
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0901563710_2_09015637
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09015E6010_2_09015E60
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09018E6F10_2_09018E6F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_090156E210_2_090156E2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB75F010_2_09AB75F0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABE50010_2_09ABE500
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABF50010_2_09ABF500
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB7CA010_2_09AB7CA0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABE88810_2_09ABE888
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB079710_2_09AB0797
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB4BD810_2_09AB4BD8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABDF7810_2_09ABDF78
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABD21010_2_09ABD210
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABEE5010_2_09ABEE50
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABA5FF10_2_09ABA5FF
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB5D6110_2_09AB5D61
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB7C9010_2_09AB7C90
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABAC3110_2_09ABAC31
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB001810_2_09AB0018
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB007010_2_09AB0070
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB579A10_2_09AB579A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB570F10_2_09AB570F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB577110_2_09AB5771
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB634C10_2_09AB634C
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB56EF10_2_09AB56EF
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB5EDB10_2_09AB5EDB
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09ABA61010_2_09ABA610
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09AB567010_2_09AB5670
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09EE188810_2_09EE1888
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09EE193610_2_09EE1936
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09EE0A8810_2_09EE0A88
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_09EE0A9810_2_09EE0A98
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_0232401311_2_02324013
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_02321DA111_2_02321DA1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_02323F9E11_2_02323F9E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C401312_2_021C4013
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C3F9E12_2_021C3F9E
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C1DA112_2_021C1DA1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_09034C0012_2_09034C00
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_09033E1112_2_09033E11
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_09033A4812_2_09033A48
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_0903533512_2_09035335
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_09034BF012_2_09034BF0
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_090357F812_2_090357F8
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_0903560612_2_09035606
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_0903563712_2_09035637
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_09033A3812_2_09033A38
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_090352A112_2_090352A1
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_090356E212_2_090356E2
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: String function: 00410D6C appears 44 times
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: String function: 0040443A appears 44 times
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: String function: 004044F1 appears 63 times
PE file contains strange resourcesShow sources
Source: 28New Order -YJ-1906-1933.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: newapp.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 28New Order -YJ-1906-1933.exe, 00000000.00000002.607431262.0000000002FE6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQBDKOWRVUARTLGKFOKPQJECNRTVNANOJHARKXZJQ_20190702121604506.exe4 vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000000.00000000.592454304.000000000048F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAntipodist2.exe vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000000.00000002.606357771.00000000022F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1014725445.000000000048F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAntipodist2.exe vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1014082902.0000000000062000.00000020.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1018408290.00000000092D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1017092072.0000000006BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1019519736.0000000009A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1016749709.0000000002A36000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQBDKOWRVUARTLGKFOKPQJECNRTVNANOJHARKXZJQ_20190702121604506.exe4 vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1019487151.0000000009A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1019299284.00000000098C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 28New Order -YJ-1906-1933.exe
Source: 28New Order -YJ-1906-1933.exeBinary or memory string: OriginalFilenameAntipodist2.exe vs 28New Order -YJ-1906-1933.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile read: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@2/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_091602FA AdjustTokenPrivileges,10_2_091602FA
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_091602C3 AdjustTokenPrivileges,10_2_091602C3
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,EntryPoint,2_2_00401470
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,EntryPoint,2_2_00401470
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile created: C:\Users\user\AppData\Roaming\newappJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 28New Order -YJ-1906-1933.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe 'C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe'
Source: unknownProcess created: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe'
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess created: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1014082902.0000000000062000.00000020.00000001.sdmp, newapp.exe, 0000000A.00000002.1020786323.0000000000062000.00000020.00000001.sdmp, newapp.exe, 0000000C.00000002.791937100.0000000002222000.00000020.00000001.sdmp
Source: Binary string: mscorrc.pdb source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1019299284.00000000098C0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1026079938.0000000009AE0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeUnpacked PE file: 2.2.28New Order -YJ-1906-1933.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeUnpacked PE file: 10.2.newapp.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeUnpacked PE file: 12.2.newapp.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeUnpacked PE file: 2.2.28New Order -YJ-1906-1933.exe.60000.0.unpack
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeUnpacked PE file: 10.2.newapp.exe.60000.0.unpack
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeUnpacked PE file: 12.2.newapp.exe.2220000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeUnpacked PE file: 2.2.28New Order -YJ-1906-1933.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeUnpacked PE file: 10.2.newapp.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeUnpacked PE file: 12.2.newapp.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,EntryPoint,2_2_00401470
PE file contains an invalid checksumShow sources
Source: newapp.exe.2.drStatic PE information: real checksum: 0x9ce9b should be: 0x9d8aa
Source: 28New Order -YJ-1906-1933.exeStatic PE information: real checksum: 0x9ce9b should be: 0x9d8aa
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403848 push 00401144h; ret 0_2_0040385B
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_0040344C push 00401144h; ret 0_2_0040345F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_0040385C push 00401144h; ret 0_2_0040386F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403460 push 00401144h; ret 0_2_00403473
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403870 push 00401144h; ret 0_2_00403883
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403474 push 00401144h; ret 0_2_00403487
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_0040380C push 00401144h; ret 0_2_0040381F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403410 push 00401144h; ret 0_2_00403423
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403820 push 00401144h; ret 0_2_00403833
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403424 push 00401144h; ret 0_2_00403437
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403834 push 00401144h; ret 0_2_00403847
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403438 push 00401144h; ret 0_2_0040344B
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004038C0 push 00401144h; ret 0_2_004038D3
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004034C4 push 00401144h; ret 0_2_004034D7
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004038D4 push 00401144h; ret 0_2_004038E7
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004034D8 push 00401144h; ret 0_2_004034EB
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004038E8 push 00401144h; ret 0_2_004038FB
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004034EC push 00401144h; ret 0_2_004034FF
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004030F7 push 00401144h; ret 0_2_00403103
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004038FC push 00401144h; ret 0_2_0040390F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403884 push 00401144h; ret 0_2_00403897
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403488 push 00401144h; ret 0_2_0040349B
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403898 push 00401144h; ret 0_2_004038AB
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_0040349C push 00401144h; ret 0_2_004034AF
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004038AC push 00401144h; ret 0_2_004038BF
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_004034B0 push 00401144h; ret 0_2_004034C3
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403140 push 00401144h; ret 0_2_00403153
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_0040394C push 00401144h; ret 0_2_0040395F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403550 push 00401144h; ret 0_2_00403563
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_00403154 push 00401144h; ret 0_2_00403167
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_0040A558 push ebx; ret 0_2_0040A559

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,EntryPoint,2_2_00401470
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-33659
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe TID: 208Thread sleep count: 37 > 30Jump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe TID: 1352Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe TID: 3820Thread sleep count: 90 > 30Jump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exe TID: 3820Thread sleep time: -45000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 3644Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 3024Thread sleep count: 60 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 3024Thread sleep time: -30000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1018408290.00000000092D0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1025423625.00000000094A0000.00000002.00000001.sdmp, newapp.exe, 0000000C.00000002.795639360.0000000009480000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015354762.00000000006FE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015354762.00000000006FE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1018408290.00000000092D0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1025423625.00000000094A0000.00000002.00000001.sdmp, newapp.exe, 0000000C.00000002.795639360.0000000009480000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1018408290.00000000092D0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1025423625.00000000094A0000.00000002.00000001.sdmp, newapp.exe, 0000000C.00000002.795639360.0000000009480000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1018408290.00000000092D0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1025423625.00000000094A0000.00000002.00000001.sdmp, newapp.exe, 0000000C.00000002.795639360.0000000009480000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeAPI call chain: ExitProcess graph end nodegraph_2-33727
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_08EF8704 LdrInitializeThunk,KiUserExceptionDispatcher,2_2_08EF8704
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004119BE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,EntryPoint,2_2_00401470
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,EntryPoint,2_2_00401470
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD0C27 mov eax, dword ptr fs:[00000030h]0_2_02FD0C27
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD0C1A mov eax, dword ptr fs:[00000030h]0_2_02FD0C1A
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD09E2 mov eax, dword ptr fs:[00000030h]0_2_02FD09E2
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD0BAB mov eax, dword ptr fs:[00000030h]0_2_02FD0BAB
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 0_2_02FD154F mov eax, dword ptr fs:[00000030h]0_2_02FD154F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F154F mov eax, dword ptr fs:[00000030h]2_2_004F154F
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F0C1A mov eax, dword ptr fs:[00000030h]2_2_004F0C1A
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F0C27 mov eax, dword ptr fs:[00000030h]2_2_004F0C27
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F09E2 mov eax, dword ptr fs:[00000030h]2_2_004F09E2
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004F0BAB mov eax, dword ptr fs:[00000030h]2_2_004F0BAB
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_02310C27 mov eax, dword ptr fs:[00000030h]9_2_02310C27
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_02310C1A mov eax, dword ptr fs:[00000030h]9_2_02310C1A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_0231154F mov eax, dword ptr fs:[00000030h]9_2_0231154F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_02310BAB mov eax, dword ptr fs:[00000030h]9_2_02310BAB
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 9_2_023109E2 mov eax, dword ptr fs:[00000030h]9_2_023109E2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_0058154F mov eax, dword ptr fs:[00000030h]10_2_0058154F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_00580C1A mov eax, dword ptr fs:[00000030h]10_2_00580C1A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_00580C27 mov eax, dword ptr fs:[00000030h]10_2_00580C27
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_005809E2 mov eax, dword ptr fs:[00000030h]10_2_005809E2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 10_2_00580BAB mov eax, dword ptr fs:[00000030h]10_2_00580BAB
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_02320C27 mov eax, dword ptr fs:[00000030h]11_2_02320C27
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_02320C1A mov eax, dword ptr fs:[00000030h]11_2_02320C1A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_0232154F mov eax, dword ptr fs:[00000030h]11_2_0232154F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_02320BAB mov eax, dword ptr fs:[00000030h]11_2_02320BAB
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_023209E2 mov eax, dword ptr fs:[00000030h]11_2_023209E2
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C0C1A mov eax, dword ptr fs:[00000030h]12_2_021C0C1A
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C0C27 mov eax, dword ptr fs:[00000030h]12_2_021C0C27
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C154F mov eax, dword ptr fs:[00000030h]12_2_021C154F
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C0BAB mov eax, dword ptr fs:[00000030h]12_2_021C0BAB
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 12_2_021C09E2 mov eax, dword ptr fs:[00000030h]12_2_021C09E2
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00405550 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,2_2_00405550
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004154E1 SetUnhandledExceptionFilter,2_2_004154E1
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004119BE
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00415C0B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00415C0B
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00418E39 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00418E39
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015475156.0000000000CE0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1022461004.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015475156.0000000000CE0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1022461004.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015475156.0000000000CE0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1022461004.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 28New Order -YJ-1906-1933.exe, 00000002.00000002.1015475156.0000000000CE0000.00000002.00000001.sdmp, newapp.exe, 0000000A.00000002.1022461004.0000000000E20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: GetLocaleInfoA,2_2_004198F0
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_00415B06 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,2_2_00415B06
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeCode function: 2_2_0011A3B2 GetUserNameW,2_2_0011A3B2
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\Desktop\28New Order -YJ-1906-1933.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 151573 Sample: 28New Order -YJ-1906-1933.exe Startdate: 12/07/2019 Architecture: WINDOWS Score: 100 33 checkip.us-east-1.prod.check-ip.aws.a2z.com 2->33 35 checkip.check-ip.aws.a2z.com 2->35 37 checkip.amazonaws.com 2->37 39 Antivirus or Machine Learning detection for sample 2->39 41 Detected unpacking (changes PE section rights) 2->41 43 Detected unpacking (creates a PE file in dynamic memory) 2->43 45 4 other signatures 2->45 7 newapp.exe 2->7         started        10 28New Order -YJ-1906-1933.exe 2->10         started        12 newapp.exe 2->12         started        signatures3 process4 signatures5 47 Antivirus or Machine Learning detection for dropped file 7->47 49 Detected unpacking (changes PE section rights) 7->49 51 Detected unpacking (creates a PE file in dynamic memory) 7->51 53 2 other signatures 7->53 14 newapp.exe 14 16 7->14         started        17 28New Order -YJ-1906-1933.exe 16 19 10->17         started        21 newapp.exe 4 12->21         started        process6 dnsIp7 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->55 57 Tries to steal Mail credentials (via file access) 14->57 59 Tries to harvest and steal ftp login credentials 14->59 61