Windows Analysis Report New Order.exe

Overview

General Information

Sample Name: New Order.exe
Analysis ID: 438531
MD5: 4af03301316c984c17ca822456b6d918
SHA1: ad237296e61bde6fe8ba894ec7445bb9bc76ab69
SHA256: ac339f7ecac47cfc3a860ad42986d9f8d68208e7c7df8b21d4640ade4f2b5131
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.achainz.com/de52/"], "decoy": ["securenotifications.com", "queenannedelights.com", "ametistadigital.com", "nebraskapaymentrelief.net", "biologicsas.com", "vidalifegroupeurope.com", "sedulabs.com", "relaxingread.com", "oucompany.com", "ty-valve.com", "noakum.com", "neuralinkages.com", "heirsfriend.net", "collectordrive.com", "holidayrefers.com", "rhodessunbed.com", "smartlearningservice.com", "gangju123.com", "yymh8826.com", "ssmgaezp.icu", "nagosemo.store", "czzubniimplantaty.com", "cuttingemporium.com", "sapphireresortapts.com", "thingsnice.com", "occasionalassistant.com", "dietsz.com", "agenciaay.com", "sahaazancosmetics.com", "citizenshipswap.com", "tarjetasbogota.com", "naughtyofficegirls.today", "pamcakedesigns.com", "mytopshelfcloset.com", "optimismactivism.com", "ecard07.com", "ravexim3.com", "1677onyx.com", "blossomkc.com", "havdalahwomen.com", "centraldot.xyz", "runtilltheresnone.com", "alisonhahn.com", "mikesyardsale.com", "ayanmobile.com", "riseframework.com", "intermittentfastingcbd.com", "fahn555.icu", "triumphosophy.com", "mns6238.com", "sallyta.com", "miqr.art", "canadance.net", "poisedbylanaburroughs.com", "artistasmarbella.com", "multimater.info", "trapapa-bitter-nr1-bb.com", "naijadelivery.com", "365killoffices.xyz", "cmvtholiday.taipei", "bespokephysicaltherapy.com", "candlewands.com", "tabakico.com", "domentemenegi39.net"]}
Multi AV Scanner detection for submitted file
Source: New Order.exe ReversingLabs: Detection: 36%
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: New Order.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.wscript.exe.34180a8.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.wscript.exe.5957960.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.1.New Order.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.New Order.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.New Order.exe.22a0000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: New Order.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wscript.pdbGCTL source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: New Order.exe, 00000000.00000003.641817824.0000000009770000.00000004.00000001.sdmp, New Order.exe, 00000002.00000002.690473130.0000000000BC0000.00000040.00000001.sdmp, wscript.exe, 00000005.00000002.901871458.0000000005420000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: New Order.exe, wscript.exe
Source: Binary string: wscript.pdb source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then pop ebx 2_2_00406A94
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then pop ebx 2_1_00406A94
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop ebx 5_2_03386A96

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49778 -> 35.209.88.35:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49778 -> 35.209.88.35:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49778 -> 35.209.88.35:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.achainz.com/de52/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyT HTTP/1.1Host: www.collectordrive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyT HTTP/1.1Host: www.dietsz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT HTTP/1.1Host: www.gangju123.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyT HTTP/1.1Host: www.ayanmobile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyT HTTP/1.1Host: www.securenotifications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyT HTTP/1.1Host: www.cuttingemporium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyT HTTP/1.1Host: www.optimismactivism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyT HTTP/1.1Host: www.occasionalassistant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.197.91 208.91.197.91
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELECOM-HKHongKongTelecomGlobalDataCentreHK TELECOM-HKHongKongTelecomGlobalDataCentreHK
Source: Joe Sandbox View ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyT HTTP/1.1Host: www.collectordrive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyT HTTP/1.1Host: www.dietsz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT HTTP/1.1Host: www.gangju123.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyT HTTP/1.1Host: www.ayanmobile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyT HTTP/1.1Host: www.securenotifications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyT HTTP/1.1Host: www.cuttingemporium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyT HTTP/1.1Host: www.optimismactivism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyT HTTP/1.1Host: www.occasionalassistant.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.collectordrive.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 22 Jun 2021 16:06:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Httpd: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: 0 NC:000000 UP:Data Raw: 31 33 64 38 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 25 37 43 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 7d 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 66 69 74 2d 77 69 64 65 20 7b 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 32 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 36 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 20 7b 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 20 7d 0a 20 20 20 20 2e 62 61 63 6b 67 72 6f 75 6e 64 2d 77 72 61 70 2e 63 6c 6f 75 64 2d 62 6c 75 65 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 62 30 65 30 65 39 3b
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: New Order.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: New Order.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000003.00000000.648249693.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.662259185.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000005.00000002.902285037.0000000005AD2000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Order.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_004181C0 NtCreateFile, 2_2_004181C0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00418270 NtReadFile, 2_2_00418270
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_004182F0 NtClose, 2_2_004182F0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_004183A0 NtAllocateVirtualMemory, 2_2_004183A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_004181BC NtCreateFile, 2_2_004181BC
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041826B NtReadFile, 2_2_0041826B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_004182EF NtClose, 2_2_004182EF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041839F NtAllocateVirtualMemory, 2_2_0041839F
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C298F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00C298F0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29840 NtDelayExecution,LdrInitializeThunk, 2_2_00C29840
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00C29860
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C299A0 NtCreateSection,LdrInitializeThunk, 2_2_00C299A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00C29910
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29A50 NtCreateFile,LdrInitializeThunk, 2_2_00C29A50
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00C29A00
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29A20 NtResumeThread,LdrInitializeThunk, 2_2_00C29A20
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C295D0 NtClose,LdrInitializeThunk, 2_2_00C295D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29540 NtReadFile,LdrInitializeThunk, 2_2_00C29540
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C296E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00C296E0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00C29660
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29FE0 NtCreateMutant,LdrInitializeThunk, 2_2_00C29FE0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00C29780
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C297A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00C297A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00C29710
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C298A0 NtWriteVirtualMemory, 2_2_00C298A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C2B040 NtSuspendThread, 2_2_00C2B040
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29820 NtEnumerateKey, 2_2_00C29820
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C299D0 NtCreateProcessEx, 2_2_00C299D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29950 NtQueueApcThread, 2_2_00C29950
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29A80 NtOpenDirectoryObject, 2_2_00C29A80
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29A10 NtQuerySection, 2_2_00C29A10
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C2A3B0 NtGetContextThread, 2_2_00C2A3B0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29B00 NtSetValueKey, 2_2_00C29B00
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C295F0 NtQueryInformationFile, 2_2_00C295F0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29560 NtWriteFile, 2_2_00C29560
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29520 NtWaitForSingleObject, 2_2_00C29520
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C2AD30 NtSetContextThread, 2_2_00C2AD30
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C296D0 NtCreateKey, 2_2_00C296D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29650 NtQueryValueKey, 2_2_00C29650
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29670 NtQueryInformationProcess, 2_2_00C29670
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29610 NtEnumerateValueKey, 2_2_00C29610
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29760 NtOpenProcess, 2_2_00C29760
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29770 NtSetInformationFile, 2_2_00C29770
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C2A770 NtOpenThread, 2_2_00C2A770
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C2A710 NtOpenProcessToken, 2_2_00C2A710
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C29730 NtQueryVirtualMemory, 2_2_00C29730
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_004181C0 NtCreateFile, 2_1_004181C0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00418270 NtReadFile, 2_1_00418270
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_004182F0 NtClose, 2_1_004182F0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_004183A0 NtAllocateVirtualMemory, 2_1_004183A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_004181BC NtCreateFile, 2_1_004181BC
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041826B NtReadFile, 2_1_0041826B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_004182EF NtClose, 2_1_004182EF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041839F NtAllocateVirtualMemory, 2_1_0041839F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489540 NtReadFile,LdrInitializeThunk, 5_2_05489540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054895D0 NtClose,LdrInitializeThunk, 5_2_054895D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489710 NtQueryInformationToken,LdrInitializeThunk, 5_2_05489710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489FE0 NtCreateMutant,LdrInitializeThunk, 5_2_05489FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489780 NtMapViewOfSection,LdrInitializeThunk, 5_2_05489780
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489650 NtQueryValueKey,LdrInitializeThunk, 5_2_05489650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_05489660
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054896D0 NtCreateKey,LdrInitializeThunk, 5_2_054896D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054896E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_054896E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_05489910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054899A0 NtCreateSection,LdrInitializeThunk, 5_2_054899A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489840 NtDelayExecution,LdrInitializeThunk, 5_2_05489840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_05489860
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489A50 NtCreateFile,LdrInitializeThunk, 5_2_05489A50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489560 NtWriteFile, 5_2_05489560
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489520 NtWaitForSingleObject, 5_2_05489520
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0548AD30 NtSetContextThread, 5_2_0548AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054895F0 NtQueryInformationFile, 5_2_054895F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489760 NtOpenProcess, 5_2_05489760
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0548A770 NtOpenThread, 5_2_0548A770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489770 NtSetInformationFile, 5_2_05489770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0548A710 NtOpenProcessToken, 5_2_0548A710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489730 NtQueryVirtualMemory, 5_2_05489730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054897A0 NtUnmapViewOfSection, 5_2_054897A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489670 NtQueryInformationProcess, 5_2_05489670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489610 NtEnumerateValueKey, 5_2_05489610
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489950 NtQueueApcThread, 5_2_05489950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054899D0 NtCreateProcessEx, 5_2_054899D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0548B040 NtSuspendThread, 5_2_0548B040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489820 NtEnumerateKey, 5_2_05489820
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054898F0 NtReadVirtualMemory, 5_2_054898F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054898A0 NtWriteVirtualMemory, 5_2_054898A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489B00 NtSetValueKey, 5_2_05489B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0548A3B0 NtGetContextThread, 5_2_0548A3B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489A00 NtProtectVirtualMemory, 5_2_05489A00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489A10 NtQuerySection, 5_2_05489A10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489A20 NtResumeThread, 5_2_05489A20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05489A80 NtOpenDirectoryObject, 5_2_05489A80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_033983A0 NtAllocateVirtualMemory, 5_2_033983A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_03398270 NtReadFile, 5_2_03398270
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_033982F0 NtClose, 5_2_033982F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_033981C0 NtCreateFile, 5_2_033981C0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339839F NtAllocateVirtualMemory, 5_2_0339839F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339826B NtReadFile, 5_2_0339826B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_033982EF NtClose, 5_2_033982EF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_033981BC NtCreateFile, 5_2_033981BC
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Detected potential crypto function
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041C122 2_2_0041C122
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041CB54 2_2_0041CB54
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00408C4D 2_2_00408C4D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00408C50 2_2_00408C50
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041BC5C 2_2_0041BC5C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00402D88 2_2_00402D88
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041B626 2_2_0041B626
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041BF31 2_2_0041BF31
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB28EC 2_2_00CB28EC
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFB090 2_2_00BFB090
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C120A0 2_2_00C120A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB20A8 2_2_00CB20A8
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1002 2_2_00CA1002
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CBE824 2_2_00CBE824
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A830 2_2_00C0A830
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEF900 2_2_00BEF900
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C04120 2_2_00C04120
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB22AE 2_2_00CB22AE
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C9FA2B 2_2_00C9FA2B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B236 2_2_00C0B236
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA03DA 2_2_00CA03DA
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CADBD2 2_2_00CADBD2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1ABD8 2_2_00C1ABD8
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C923E3 2_2_00C923E3
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1138B 2_2_00C1138B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1EBB0 2_2_00C1EBB0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0AB40 2_2_00C0AB40
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C8CB4F 2_2_00C8CB4F
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB2B28 2_2_00CB2B28
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF841F 2_2_00BF841F
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAD466 2_2_00CAD466
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB25DD 2_2_00CB25DD
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12581 2_2_00C12581
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFD5E0 2_2_00BFD5E0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE0D20 2_2_00BE0D20
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB1D55 2_2_00CB1D55
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB2D07 2_2_00CB2D07
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB2EF7 2_2_00CB2EF7
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAD616 2_2_00CAD616
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C06E30 2_2_00C06E30
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CBDFCE 2_2_00CBDFCE
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB1FF1 2_2_00CB1FF1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00401030 2_1_00401030
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041C122 2_1_0041C122
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041CB54 2_1_0041CB54
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00408C4D 2_1_00408C4D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00408C50 2_1_00408C50
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041BC5C 2_1_0041BC5C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00402D88 2_1_00402D88
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00402D90 2_1_00402D90
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041B626 2_1_0041B626
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041BF31 2_1_0041BF31
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00402FB0 2_1_00402FB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05511D55 5_2_05511D55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05512D07 5_2_05512D07
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05440D20 5_2_05440D20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055125DD 5_2_055125DD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545D5E0 5_2_0545D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05472581 5_2_05472581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550D466 5_2_0550D466
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545841F 5_2_0545841F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0551DFCE 5_2_0551DFCE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05511FF1 5_2_05511FF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550D616 5_2_0550D616
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05466E30 5_2_05466E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05512EF7 5_2_05512EF7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0544F900 5_2_0544F900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05464120 5_2_05464120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054699BF 5_2_054699BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501002 5_2_05501002
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0551E824 5_2_0551E824
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0546A830 5_2_0546A830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055128EC 5_2_055128EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545B090 5_2_0545B090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054720A0 5_2_054720A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055120A8 5_2_055120A8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0546AB40 5_2_0546AB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0546A309 5_2_0546A309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05512B28 5_2_05512B28
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550DBD2 5_2_0550DBD2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055003DA 5_2_055003DA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547ABD8 5_2_0547ABD8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054F23E3 5_2_054F23E3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547EBB0 5_2_0547EBB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054FFA2B 5_2_054FFA2B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055122AE 5_2_055122AE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339CB54 5_2_0339CB54
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_03382FB0 5_2_03382FB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339B626 5_2_0339B626
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_03382D90 5_2_03382D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_03382D88 5_2_03382D88
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_03388C50 5_2_03388C50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_03388C4D 5_2_03388C4D
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\New Order.exe Code function: String function: 00BEB150 appears 136 times
Source: C:\Users\user\Desktop\New Order.exe Code function: String function: 00419F70 appears 38 times
Source: C:\Users\user\Desktop\New Order.exe Code function: String function: 0041A0A0 appears 38 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0544B150 appears 90 times
Sample file is different than original file name gathered from version info
Source: New Order.exe, 00000000.00000003.638250187.00000000099EF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs New Order.exe
Source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs New Order.exe
Source: New Order.exe, 00000002.00000002.690596917.0000000000CDF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs New Order.exe
Uses 32bit PE files
Source: New Order.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@11/7
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_01
Source: C:\Users\user\Desktop\New Order.exe File created: C:\Users\user\AppData\Local\Temp\nssD6D2.tmp Jump to behavior
Source: New Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: New Order.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\New Order.exe File read: C:\Users\user\Desktop\New Order.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
Source: C:\Users\user\Desktop\New Order.exe Process created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New Order.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order.exe Process created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New Order.exe' Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: wscript.pdbGCTL source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: New Order.exe, 00000000.00000003.641817824.0000000009770000.00000004.00000001.sdmp, New Order.exe, 00000002.00000002.690473130.0000000000BC0000.00000040.00000001.sdmp, wscript.exe, 00000005.00000002.901871458.0000000005420000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: New Order.exe, wscript.exe
Source: Binary string: wscript.pdb source: New Order.exe, 00000002.00000002.690441656.0000000000A30000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.656881329.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\New Order.exe Unpacked PE file: 2.2.New Order.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress, 0_2_10001D3B
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_100029F0 push eax; ret 0_2_10002A1E
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041B3B5 push eax; ret 2_2_0041B408
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041B46C push eax; ret 2_2_0041B472
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041B402 push eax; ret 2_2_0041B408
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_0041B40B push eax; ret 2_2_0041B472
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00415E63 push esp; iretd 2_2_00415E64
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C3D0D1 push ecx; ret 2_2_00C3D0E4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041B3B5 push eax; ret 2_1_0041B408
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041B46C push eax; ret 2_1_0041B472
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041B402 push eax; ret 2_1_0041B408
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_0041B40B push eax; ret 2_1_0041B472
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_1_00415E63 push esp; iretd 2_1_00415E64
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0549D0D1 push ecx; ret 5_2_0549D0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339C33C push 020DC012h; ret 5_2_0339C343
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339B3B5 push eax; ret 5_2_0339B408
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_03395E63 push esp; iretd 5_2_03395E64
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339B40B push eax; ret 5_2_0339B472
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339B402 push eax; ret 5_2_0339B408
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0339B46C push eax; ret 5_2_0339B472

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\New Order.exe File created: C:\Users\user\AppData\Local\Temp\nssD6D3.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\New Order.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\New Order.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 00000000033885E4 second address: 00000000033885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 000000000338896E second address: 0000000003388974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\New Order.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3844 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3524 Thread sleep time: -38000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.660805445.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.657224309.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.660805445.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.660941932.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000003.00000000.653530097.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.660941932.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.661002462.000000000A782000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000003.00000000.681162732.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\New Order.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\New Order.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00409B10 LdrLoadDll, 2_2_00409B10
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_10001D3B GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,lstrcatA,GetProcAddress, 0_2_10001D3B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C7B8D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00C7B8D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C7B8D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C7B8D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C7B8D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C7B8D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B8E4 mov eax, dword ptr fs:[00000030h] 2_2_00C0B8E4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B8E4 mov eax, dword ptr fs:[00000030h] 2_2_00C0B8E4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9080 mov eax, dword ptr fs:[00000030h] 2_2_00BE9080
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C63884 mov eax, dword ptr fs:[00000030h] 2_2_00C63884
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C63884 mov eax, dword ptr fs:[00000030h] 2_2_00C63884
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE58EC mov eax, dword ptr fs:[00000030h] 2_2_00BE58EC
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE40E1 mov eax, dword ptr fs:[00000030h] 2_2_00BE40E1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE40E1 mov eax, dword ptr fs:[00000030h] 2_2_00BE40E1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE40E1 mov eax, dword ptr fs:[00000030h] 2_2_00BE40E1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h] 2_2_00C120A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h] 2_2_00C120A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h] 2_2_00C120A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h] 2_2_00C120A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h] 2_2_00C120A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C120A0 mov eax, dword ptr fs:[00000030h] 2_2_00C120A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C290AF mov eax, dword ptr fs:[00000030h] 2_2_00C290AF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1F0BF mov ecx, dword ptr fs:[00000030h] 2_2_00C1F0BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1F0BF mov eax, dword ptr fs:[00000030h] 2_2_00C1F0BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1F0BF mov eax, dword ptr fs:[00000030h] 2_2_00C1F0BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C00050 mov eax, dword ptr fs:[00000030h] 2_2_00C00050
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C00050 mov eax, dword ptr fs:[00000030h] 2_2_00C00050
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h] 2_2_00BFB02A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h] 2_2_00BFB02A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h] 2_2_00BFB02A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFB02A mov eax, dword ptr fs:[00000030h] 2_2_00BFB02A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2073 mov eax, dword ptr fs:[00000030h] 2_2_00CA2073
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB1074 mov eax, dword ptr fs:[00000030h] 2_2_00CB1074
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h] 2_2_00C67016
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h] 2_2_00C67016
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C67016 mov eax, dword ptr fs:[00000030h] 2_2_00C67016
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB4015 mov eax, dword ptr fs:[00000030h] 2_2_00CB4015
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB4015 mov eax, dword ptr fs:[00000030h] 2_2_00CB4015
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h] 2_2_00C1002D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h] 2_2_00C1002D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h] 2_2_00C1002D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h] 2_2_00C1002D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1002D mov eax, dword ptr fs:[00000030h] 2_2_00C1002D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h] 2_2_00C0A830
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h] 2_2_00C0A830
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h] 2_2_00C0A830
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A830 mov eax, dword ptr fs:[00000030h] 2_2_00C0A830
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C741E8 mov eax, dword ptr fs:[00000030h] 2_2_00C741E8
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0C182 mov eax, dword ptr fs:[00000030h] 2_2_00C0C182
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1A185 mov eax, dword ptr fs:[00000030h] 2_2_00C1A185
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12990 mov eax, dword ptr fs:[00000030h] 2_2_00C12990
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00BEB1E1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00BEB1E1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00BEB1E1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C669A6 mov eax, dword ptr fs:[00000030h] 2_2_00C669A6
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C161A0 mov eax, dword ptr fs:[00000030h] 2_2_00C161A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C161A0 mov eax, dword ptr fs:[00000030h] 2_2_00C161A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00CA49A4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00CA49A4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00CA49A4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA49A4 mov eax, dword ptr fs:[00000030h] 2_2_00CA49A4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h] 2_2_00C651BE
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h] 2_2_00C651BE
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h] 2_2_00C651BE
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C651BE mov eax, dword ptr fs:[00000030h] 2_2_00C651BE
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov ecx, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C099BF mov eax, dword ptr fs:[00000030h] 2_2_00C099BF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B944 mov eax, dword ptr fs:[00000030h] 2_2_00C0B944
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B944 mov eax, dword ptr fs:[00000030h] 2_2_00C0B944
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h] 2_2_00BE9100
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h] 2_2_00BE9100
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9100 mov eax, dword ptr fs:[00000030h] 2_2_00BE9100
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEB171 mov eax, dword ptr fs:[00000030h] 2_2_00BEB171
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEB171 mov eax, dword ptr fs:[00000030h] 2_2_00BEB171
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEC962 mov eax, dword ptr fs:[00000030h] 2_2_00BEC962
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h] 2_2_00C04120
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h] 2_2_00C04120
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h] 2_2_00C04120
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C04120 mov eax, dword ptr fs:[00000030h] 2_2_00C04120
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C04120 mov ecx, dword ptr fs:[00000030h] 2_2_00C04120
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1513A mov eax, dword ptr fs:[00000030h] 2_2_00C1513A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1513A mov eax, dword ptr fs:[00000030h] 2_2_00C1513A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12ACB mov eax, dword ptr fs:[00000030h] 2_2_00C12ACB
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00BFAAB0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00BFAAB0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00BE52A5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00BE52A5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00BE52A5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00BE52A5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE52A5 mov eax, dword ptr fs:[00000030h] 2_2_00BE52A5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12AE4 mov eax, dword ptr fs:[00000030h] 2_2_00C12AE4
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4AEF mov eax, dword ptr fs:[00000030h] 2_2_00CA4AEF
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1D294 mov eax, dword ptr fs:[00000030h] 2_2_00C1D294
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1D294 mov eax, dword ptr fs:[00000030h] 2_2_00C1D294
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1FAB0 mov eax, dword ptr fs:[00000030h] 2_2_00C1FAB0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C74257 mov eax, dword ptr fs:[00000030h] 2_2_00C74257
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAEA55 mov eax, dword ptr fs:[00000030h] 2_2_00CAEA55
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEAA16 mov eax, dword ptr fs:[00000030h] 2_2_00BEAA16
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEAA16 mov eax, dword ptr fs:[00000030h] 2_2_00BEAA16
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C9B260 mov eax, dword ptr fs:[00000030h] 2_2_00C9B260
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C9B260 mov eax, dword ptr fs:[00000030h] 2_2_00C9B260
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB8A62 mov eax, dword ptr fs:[00000030h] 2_2_00CB8A62
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h] 2_2_00BE5210
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE5210 mov ecx, dword ptr fs:[00000030h] 2_2_00BE5210
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h] 2_2_00BE5210
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE5210 mov eax, dword ptr fs:[00000030h] 2_2_00BE5210
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF8A0A mov eax, dword ptr fs:[00000030h] 2_2_00BF8A0A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C2927A mov eax, dword ptr fs:[00000030h] 2_2_00C2927A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C03A1C mov eax, dword ptr fs:[00000030h] 2_2_00C03A1C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAAA16 mov eax, dword ptr fs:[00000030h] 2_2_00CAAA16
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAAA16 mov eax, dword ptr fs:[00000030h] 2_2_00CAAA16
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A229 mov eax, dword ptr fs:[00000030h] 2_2_00C0A229
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C24A2C mov eax, dword ptr fs:[00000030h] 2_2_00C24A2C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C24A2C mov eax, dword ptr fs:[00000030h] 2_2_00C24A2C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h] 2_2_00C0B236
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h] 2_2_00C0B236
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h] 2_2_00C0B236
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h] 2_2_00C0B236
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h] 2_2_00C0B236
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B236 mov eax, dword ptr fs:[00000030h] 2_2_00C0B236
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h] 2_2_00BE9240
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h] 2_2_00BE9240
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h] 2_2_00BE9240
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE9240 mov eax, dword ptr fs:[00000030h] 2_2_00BE9240
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C653CA mov eax, dword ptr fs:[00000030h] 2_2_00C653CA
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C653CA mov eax, dword ptr fs:[00000030h] 2_2_00C653CA
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h] 2_2_00C103E2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h] 2_2_00C103E2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h] 2_2_00C103E2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h] 2_2_00C103E2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h] 2_2_00C103E2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C103E2 mov eax, dword ptr fs:[00000030h] 2_2_00C103E2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0DBE9 mov eax, dword ptr fs:[00000030h] 2_2_00C0DBE9
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C923E3 mov ecx, dword ptr fs:[00000030h] 2_2_00C923E3
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C923E3 mov ecx, dword ptr fs:[00000030h] 2_2_00C923E3
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C923E3 mov eax, dword ptr fs:[00000030h] 2_2_00C923E3
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF1B8F mov eax, dword ptr fs:[00000030h] 2_2_00BF1B8F
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF1B8F mov eax, dword ptr fs:[00000030h] 2_2_00BF1B8F
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA138A mov eax, dword ptr fs:[00000030h] 2_2_00CA138A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C9D380 mov ecx, dword ptr fs:[00000030h] 2_2_00C9D380
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1138B mov eax, dword ptr fs:[00000030h] 2_2_00C1138B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1138B mov eax, dword ptr fs:[00000030h] 2_2_00C1138B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1138B mov eax, dword ptr fs:[00000030h] 2_2_00C1138B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1B390 mov eax, dword ptr fs:[00000030h] 2_2_00C1B390
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12397 mov eax, dword ptr fs:[00000030h] 2_2_00C12397
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h] 2_2_00C14BAD
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h] 2_2_00C14BAD
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C14BAD mov eax, dword ptr fs:[00000030h] 2_2_00C14BAD
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB5BA5 mov eax, dword ptr fs:[00000030h] 2_2_00CB5BA5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB8B58 mov eax, dword ptr fs:[00000030h] 2_2_00CB8B58
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C13B7A mov eax, dword ptr fs:[00000030h] 2_2_00C13B7A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C13B7A mov eax, dword ptr fs:[00000030h] 2_2_00C13B7A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0A309 mov eax, dword ptr fs:[00000030h] 2_2_00C0A309
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA131B mov eax, dword ptr fs:[00000030h] 2_2_00CA131B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEDB60 mov ecx, dword ptr fs:[00000030h] 2_2_00BEDB60
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEF358 mov eax, dword ptr fs:[00000030h] 2_2_00BEF358
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEDB40 mov eax, dword ptr fs:[00000030h] 2_2_00BEDB40
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB8CD6 mov eax, dword ptr fs:[00000030h] 2_2_00CB8CD6
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF849B mov eax, dword ptr fs:[00000030h] 2_2_00BF849B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA14FB mov eax, dword ptr fs:[00000030h] 2_2_00CA14FB
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h] 2_2_00C66CF0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h] 2_2_00C66CF0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66CF0 mov eax, dword ptr fs:[00000030h] 2_2_00C66CF0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA4496 mov eax, dword ptr fs:[00000030h] 2_2_00CA4496
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1A44B mov eax, dword ptr fs:[00000030h] 2_2_00C1A44B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7C450 mov eax, dword ptr fs:[00000030h] 2_2_00C7C450
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7C450 mov eax, dword ptr fs:[00000030h] 2_2_00C7C450
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0746D mov eax, dword ptr fs:[00000030h] 2_2_00C0746D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B477 mov eax, dword ptr fs:[00000030h] 2_2_00C0B477
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1AC7B mov eax, dword ptr fs:[00000030h] 2_2_00C1AC7B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h] 2_2_00CB740D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h] 2_2_00CB740D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB740D mov eax, dword ptr fs:[00000030h] 2_2_00CB740D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CA1C06
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h] 2_2_00C66C0A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h] 2_2_00C66C0A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h] 2_2_00C66C0A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66C0A mov eax, dword ptr fs:[00000030h] 2_2_00C66C0A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1BC2C mov eax, dword ptr fs:[00000030h] 2_2_00C1BC2C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C66DC9
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C66DC9
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C66DC9
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66DC9 mov ecx, dword ptr fs:[00000030h] 2_2_00C66DC9
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C66DC9
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C66DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C66DC9
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CAFDE2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CAFDE2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CAFDE2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CAFDE2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00BE2D8A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00BE2D8A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00BE2D8A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00BE2D8A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE2D8A mov eax, dword ptr fs:[00000030h] 2_2_00BE2D8A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C98DF1 mov eax, dword ptr fs:[00000030h] 2_2_00C98DF1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h] 2_2_00C12581
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h] 2_2_00C12581
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h] 2_2_00C12581
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C12581 mov eax, dword ptr fs:[00000030h] 2_2_00C12581
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA2D82 mov eax, dword ptr fs:[00000030h] 2_2_00CA2D82
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1FD9B mov eax, dword ptr fs:[00000030h] 2_2_00C1FD9B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1FD9B mov eax, dword ptr fs:[00000030h] 2_2_00C1FD9B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00BFD5E0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00BFD5E0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C135A1 mov eax, dword ptr fs:[00000030h] 2_2_00C135A1
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB05AC mov eax, dword ptr fs:[00000030h] 2_2_00CB05AC
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB05AC mov eax, dword ptr fs:[00000030h] 2_2_00CB05AC
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h] 2_2_00C11DB5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h] 2_2_00C11DB5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C11DB5 mov eax, dword ptr fs:[00000030h] 2_2_00C11DB5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C23D43 mov eax, dword ptr fs:[00000030h] 2_2_00C23D43
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C63540 mov eax, dword ptr fs:[00000030h] 2_2_00C63540
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C93D40 mov eax, dword ptr fs:[00000030h] 2_2_00C93D40
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF3D34 mov eax, dword ptr fs:[00000030h] 2_2_00BF3D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEAD30 mov eax, dword ptr fs:[00000030h] 2_2_00BEAD30
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C07D50 mov eax, dword ptr fs:[00000030h] 2_2_00C07D50
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0C577 mov eax, dword ptr fs:[00000030h] 2_2_00C0C577
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0C577 mov eax, dword ptr fs:[00000030h] 2_2_00C0C577
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C6A537 mov eax, dword ptr fs:[00000030h] 2_2_00C6A537
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAE539 mov eax, dword ptr fs:[00000030h] 2_2_00CAE539
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h] 2_2_00C14D3B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h] 2_2_00C14D3B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C14D3B mov eax, dword ptr fs:[00000030h] 2_2_00C14D3B
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB8D34 mov eax, dword ptr fs:[00000030h] 2_2_00CB8D34
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C28EC7 mov eax, dword ptr fs:[00000030h] 2_2_00C28EC7
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C9FEC0 mov eax, dword ptr fs:[00000030h] 2_2_00C9FEC0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C136CC mov eax, dword ptr fs:[00000030h] 2_2_00C136CC
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB8ED6 mov eax, dword ptr fs:[00000030h] 2_2_00CB8ED6
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C116E0 mov ecx, dword ptr fs:[00000030h] 2_2_00C116E0
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7FE87 mov eax, dword ptr fs:[00000030h] 2_2_00C7FE87
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF76E2 mov eax, dword ptr fs:[00000030h] 2_2_00BF76E2
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C646A7 mov eax, dword ptr fs:[00000030h] 2_2_00C646A7
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00CB0EA5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00CB0EA5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00CB0EA5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAAE44 mov eax, dword ptr fs:[00000030h] 2_2_00CAAE44
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CAAE44 mov eax, dword ptr fs:[00000030h] 2_2_00CAAE44
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEE620 mov eax, dword ptr fs:[00000030h] 2_2_00BEE620
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C0AE73
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C0AE73
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C0AE73
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C0AE73
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C0AE73
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEC600 mov eax, dword ptr fs:[00000030h] 2_2_00BEC600
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEC600 mov eax, dword ptr fs:[00000030h] 2_2_00BEC600
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BEC600 mov eax, dword ptr fs:[00000030h] 2_2_00BEC600
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C18E00 mov eax, dword ptr fs:[00000030h] 2_2_00C18E00
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CA1608 mov eax, dword ptr fs:[00000030h] 2_2_00CA1608
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF766D mov eax, dword ptr fs:[00000030h] 2_2_00BF766D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1A61C mov eax, dword ptr fs:[00000030h] 2_2_00C1A61C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1A61C mov eax, dword ptr fs:[00000030h] 2_2_00C1A61C
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C9FE3F mov eax, dword ptr fs:[00000030h] 2_2_00C9FE3F
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00BF7E41
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00BF7E41
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00BF7E41
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00BF7E41
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00BF7E41
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF7E41 mov eax, dword ptr fs:[00000030h] 2_2_00BF7E41
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BF8794 mov eax, dword ptr fs:[00000030h] 2_2_00BF8794
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C237F5 mov eax, dword ptr fs:[00000030h] 2_2_00C237F5
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C67794 mov eax, dword ptr fs:[00000030h] 2_2_00C67794
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C67794 mov eax, dword ptr fs:[00000030h] 2_2_00C67794
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C67794 mov eax, dword ptr fs:[00000030h] 2_2_00C67794
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE4F2E mov eax, dword ptr fs:[00000030h] 2_2_00BE4F2E
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BE4F2E mov eax, dword ptr fs:[00000030h] 2_2_00BE4F2E
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB8F6A mov eax, dword ptr fs:[00000030h] 2_2_00CB8F6A
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB070D mov eax, dword ptr fs:[00000030h] 2_2_00CB070D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00CB070D mov eax, dword ptr fs:[00000030h] 2_2_00CB070D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1A70E mov eax, dword ptr fs:[00000030h] 2_2_00C1A70E
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1A70E mov eax, dword ptr fs:[00000030h] 2_2_00C1A70E
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0F716 mov eax, dword ptr fs:[00000030h] 2_2_00C0F716
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7FF10 mov eax, dword ptr fs:[00000030h] 2_2_00C7FF10
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C7FF10 mov eax, dword ptr fs:[00000030h] 2_2_00C7FF10
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFFF60 mov eax, dword ptr fs:[00000030h] 2_2_00BFFF60
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C1E730 mov eax, dword ptr fs:[00000030h] 2_2_00C1E730
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B73D mov eax, dword ptr fs:[00000030h] 2_2_00C0B73D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00C0B73D mov eax, dword ptr fs:[00000030h] 2_2_00C0B73D
Source: C:\Users\user\Desktop\New Order.exe Code function: 2_2_00BFEF40 mov eax, dword ptr fs:[00000030h] 2_2_00BFEF40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05483D43 mov eax, dword ptr fs:[00000030h] 5_2_05483D43
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C3540 mov eax, dword ptr fs:[00000030h] 5_2_054C3540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054F3D40 mov eax, dword ptr fs:[00000030h] 5_2_054F3D40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05467D50 mov eax, dword ptr fs:[00000030h] 5_2_05467D50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0546C577 mov eax, dword ptr fs:[00000030h] 5_2_0546C577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0546C577 mov eax, dword ptr fs:[00000030h] 5_2_0546C577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05518D34 mov eax, dword ptr fs:[00000030h] 5_2_05518D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550E539 mov eax, dword ptr fs:[00000030h] 5_2_0550E539
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05453D34 mov eax, dword ptr fs:[00000030h] 5_2_05453D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0544AD30 mov eax, dword ptr fs:[00000030h] 5_2_0544AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054CA537 mov eax, dword ptr fs:[00000030h] 5_2_054CA537
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05474D3B mov eax, dword ptr fs:[00000030h] 5_2_05474D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05474D3B mov eax, dword ptr fs:[00000030h] 5_2_05474D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05474D3B mov eax, dword ptr fs:[00000030h] 5_2_05474D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h] 5_2_054C6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h] 5_2_054C6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h] 5_2_054C6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6DC9 mov ecx, dword ptr fs:[00000030h] 5_2_054C6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h] 5_2_054C6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6DC9 mov eax, dword ptr fs:[00000030h] 5_2_054C6DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0545D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0545D5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0550FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0550FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0550FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0550FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0550FDE2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054F8DF1 mov eax, dword ptr fs:[00000030h] 5_2_054F8DF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05472581 mov eax, dword ptr fs:[00000030h] 5_2_05472581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05472581 mov eax, dword ptr fs:[00000030h] 5_2_05472581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05472581 mov eax, dword ptr fs:[00000030h] 5_2_05472581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05472581 mov eax, dword ptr fs:[00000030h] 5_2_05472581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h] 5_2_05442D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h] 5_2_05442D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h] 5_2_05442D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h] 5_2_05442D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05442D8A mov eax, dword ptr fs:[00000030h] 5_2_05442D8A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547FD9B mov eax, dword ptr fs:[00000030h] 5_2_0547FD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547FD9B mov eax, dword ptr fs:[00000030h] 5_2_0547FD9B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054735A1 mov eax, dword ptr fs:[00000030h] 5_2_054735A1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05471DB5 mov eax, dword ptr fs:[00000030h] 5_2_05471DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05471DB5 mov eax, dword ptr fs:[00000030h] 5_2_05471DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05471DB5 mov eax, dword ptr fs:[00000030h] 5_2_05471DB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055105AC mov eax, dword ptr fs:[00000030h] 5_2_055105AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055105AC mov eax, dword ptr fs:[00000030h] 5_2_055105AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547A44B mov eax, dword ptr fs:[00000030h] 5_2_0547A44B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054DC450 mov eax, dword ptr fs:[00000030h] 5_2_054DC450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054DC450 mov eax, dword ptr fs:[00000030h] 5_2_054DC450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0546746D mov eax, dword ptr fs:[00000030h] 5_2_0546746D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547AC7B mov eax, dword ptr fs:[00000030h] 5_2_0547AC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h] 5_2_054C6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h] 5_2_054C6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h] 5_2_054C6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6C0A mov eax, dword ptr fs:[00000030h] 5_2_054C6C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05501C06 mov eax, dword ptr fs:[00000030h] 5_2_05501C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0551740D mov eax, dword ptr fs:[00000030h] 5_2_0551740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0551740D mov eax, dword ptr fs:[00000030h] 5_2_0551740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0551740D mov eax, dword ptr fs:[00000030h] 5_2_0551740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547BC2C mov eax, dword ptr fs:[00000030h] 5_2_0547BC2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05518CD6 mov eax, dword ptr fs:[00000030h] 5_2_05518CD6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_055014FB mov eax, dword ptr fs:[00000030h] 5_2_055014FB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6CF0 mov eax, dword ptr fs:[00000030h] 5_2_054C6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6CF0 mov eax, dword ptr fs:[00000030h] 5_2_054C6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_054C6CF0 mov eax, dword ptr fs:[00000030h] 5_2_054C6CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545849B mov eax, dword ptr fs:[00000030h] 5_2_0545849B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545EF40 mov eax, dword ptr fs:[00000030h] 5_2_0545EF40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0545FF60 mov eax, dword ptr fs:[00000030h] 5_2_0545FF60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_05518F6A mov eax, dword ptr fs:[00000030h] 5_2_05518F6A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547A70E mov eax, dword ptr fs:[00000030h] 5_2_0547A70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0547A70E mov eax, dword ptr fs:[00000030h] 5_2_0547A70E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0546F716 mov eax, dword ptr fs:[00000030h] 5_2_0546F716
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0551070D mov eax, dword ptr fs:[00000030h] 5_2_0551070D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 5_2_0551070D mov eax, dword ptr fs:[00000030h] 5_2_0551070D
Enables debug privileges
Source: C:\Users\user\Desktop\New Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 192.155.181.250 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ayanmobile.com
Source: C:\Windows\SysWOW64\wscript.exe Domain query: www.ty-valve.com
Source: C:\Windows\explorer.exe Domain query: www.cuttingemporium.com
Source: C:\Windows\explorer.exe Domain query: www.securenotifications.com
Source: C:\Windows\explorer.exe Domain query: www.collectordrive.com
Source: C:\Windows\explorer.exe Network Connect: 35.209.88.35 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.dietsz.com
Source: C:\Windows\explorer.exe Domain query: www.optimismactivism.com
Source: C:\Windows\explorer.exe Domain query: www.gangju123.com
Source: C:\Windows\explorer.exe Network Connect: 107.161.23.204 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 208.91.197.91 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.78.1 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\New Order.exe Section loaded: unknown target: C:\Users\user\Desktop\New Order.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\New Order.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\New Order.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\New Order.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: DF0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Order.exe Process created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\New Order.exe' Jump to behavior
Source: explorer.exe, 00000003.00000000.668700354.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.670473260.0000000001080000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.901778690.0000000003CE0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.660941932.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: C:\Users\user\Desktop\New Order.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.901125001.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.901427699.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690404186.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.645023716.00000000022A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690073712.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.642981900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.690378991.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.New Order.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.New Order.exe.22a0000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438531 Sample: New Order.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 34 www.occasionalassistant.com 2->34 36 occasionalassistant.com 2->36 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 7 other signatures 2->62 9 explorer.exe 2->9         started        13 New Order.exe 19 2->13         started        signatures3 process4 dnsIp5 38 www.ty-valve.com 192.155.181.250, 80 TELECOM-HKHongKongTelecomGlobalDataCentreHK United States 9->38 40 www.securenotifications.com 35.209.88.35, 49778, 80 GOOGLE-2US United States 9->40 42 11 other IPs or domains 9->42 64 System process connects to network (likely due to code injection or exploit) 9->64 16 wscript.exe 12 9->16         started        26 C:\Users\user\AppData\Local\Temp\vsfjb, DOS 13->26 dropped 28 C:\Users\user\AppData\Local\...\System.dll, PE32 13->28 dropped 66 Maps a DLL or memory area into another process 13->66 20 New Order.exe 13->20         started        file6 signatures7 process8 dnsIp9 30 www.ty-valve.com 16->30 32 192.168.2.1 unknown unknown 16->32 44 System process connects to network (likely due to code injection or exploit) 16->44 46 Modifies the context of a thread in another process (thread injection) 16->46 48 Maps a DLL or memory area into another process 16->48 50 Tries to detect virtualization through RDTSC time measurements 16->50 22 cmd.exe 1 16->22         started        52 Sample uses process hollowing technique 20->52 54 Queues an APC in another process (thread injection) 20->54 signatures10 process11 process12 24 conhost.exe 22->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.155.181.250
 www.ty-valve.com United States
132422 TELECOM-HKHongKongTelecomGlobalDataCentreHK true
107.161.23.204
 parking.namesilo.com United States
3842 RAMNODEUS false
208.91.197.91
 www.dietsz.com Virgin Islands (BRITISH)
40034 CONFLUENCE-NETWORK-INCVG true
35.209.88.35
 www.securenotifications.com United States
19527 GOOGLE-2US true
34.102.136.180
 cuttingemporium.com United States
15169 GOOGLEUS false
160.153.78.1
 ayanmobile.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
cuttingemporium.com 34.102.136.180 true
www.ty-valve.com 192.155.181.250 true
www.securenotifications.com 35.209.88.35 true
ayanmobile.com 160.153.78.1 true
collectordrive.com 34.102.136.180 true
parking.namesilo.com 107.161.23.204 true
occasionalassistant.com 34.102.136.180 true
www.dietsz.com 208.91.197.91 true
optimismactivism.com 34.102.136.180 true
www.ayanmobile.com unknown unknown
www.occasionalassistant.com unknown unknown
www.cuttingemporium.com unknown unknown
www.collectordrive.com unknown unknown
www.optimismactivism.com unknown unknown
www.gangju123.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.collectordrive.com/de52/?z6Ad_8Jp=q/8Nbvd67YPMVz3o7HcOnLFi8lrYmwA47pjKffLVRoseAGTrTNs7CZxo0gnZJZCgi/pT&Yz=0bpDyT false
  • Avira URL Cloud: safe
 unknown
www.achainz.com/de52/ true
  • Avira URL Cloud: safe
 low
http://www.cuttingemporium.com/de52/?z6Ad_8Jp=A6XO+ITKnQQbOEvUMrF2CVYLPv45kLd/uv2YdfW9vEZfPW6611dfa85KEkC5Wqh6gBNa&Yz=0bpDyT false
  • Avira URL Cloud: safe
 unknown
http://www.occasionalassistant.com/de52/?z6Ad_8Jp=qb+cDyZ+/Kn0EiG8qAwackOr+Z8XD7HPsMVV4+H0Ra088mc2au++kj7rvX/qHs87RHMJ&Yz=0bpDyT false
  • Avira URL Cloud: safe
 unknown
http://www.securenotifications.com/de52/?z6Ad_8Jp=/MwPCQmb8N4Awmw4mMKJPRGOCBQ0FmS8LiYPDqoyki9FgjxxSyxFyKWOR1kxSGqMaJan&Yz=0bpDyT true
  • Avira URL Cloud: safe
 unknown
http://www.gangju123.com/de52/?z6Ad_8Jp=KfmGdnK98UrOdo4kMnFtb2+M9fToEn1F+Gzo6oV5pCedLQ1HneT9cj2ied9UzRR+PF6A&Yz=0bpDyT true
  • Avira URL Cloud: safe
 unknown
http://www.ayanmobile.com/de52/?z6Ad_8Jp=VjXAIgKfhvF8hRWD/e05oFFe9piey6xRf/uiJW4aXhiEfFySQTYX7BGVKv+i/OP+5wGQ&Yz=0bpDyT true
  • Avira URL Cloud: safe
 unknown
http://www.optimismactivism.com/de52/?z6Ad_8Jp=LwTVedL55OWwkv7g5+M8qNIWWWhwOSQTlz2nKf3SzAUgx635MxYM24Oa4PrOeZWczuGU&Yz=0bpDyT false
  • Avira URL Cloud: safe
 unknown
http://www.dietsz.com/de52/?z6Ad_8Jp=jbY8motXMJXjJrQ4SeyjR+FjRclRi1mJ8dBASwUO8jLWL5/FFIvWjS8rmQthPplPuKqV&Yz=0bpDyT true
  • Avira URL Cloud: safe
 unknown