Analysis

Category Package Started Completed Duration Options Log
FILE Injection 2020-01-14 13:29:22 2020-01-14 13:30:29 67 seconds Show Options Show Log
route = internet
procdump = 0
2020-01-14 13:29:24,062 [root] INFO: Date set to: 01-14-20, time set to: 13:29:24, timeout set to: 200
2020-01-14 13:29:24,092 [root] DEBUG: Starting analyzer from: C:\pmmyqife
2020-01-14 13:29:24,108 [root] DEBUG: Storing results at: C:\egNbWpEzRR
2020-01-14 13:29:24,108 [root] DEBUG: Pipe server name: \\.\PIPE\JZwjuhHprv
2020-01-14 13:29:24,108 [root] INFO: Analysis package "Injection" has been specified.
2020-01-14 13:29:24,779 [root] DEBUG: Started auxiliary module Browser
2020-01-14 13:29:24,779 [root] DEBUG: Started auxiliary module Curtain
2020-01-14 13:29:24,779 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-01-14 13:29:25,482 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-01-14 13:29:25,482 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-01-14 13:29:25,496 [root] DEBUG: Started auxiliary module DigiSig
2020-01-14 13:29:25,496 [root] DEBUG: Started auxiliary module Disguise
2020-01-14 13:29:25,513 [root] DEBUG: Started auxiliary module Human
2020-01-14 13:29:25,528 [root] DEBUG: Started auxiliary module Screenshots
2020-01-14 13:29:25,543 [root] DEBUG: Started auxiliary module Sysmon
2020-01-14 13:29:25,559 [root] DEBUG: Started auxiliary module Usage
2020-01-14 13:29:25,559 [root] INFO: Analyzer: DLL set to Injection.dll from package modules.packages.Injection
2020-01-14 13:29:25,559 [root] INFO: Analyzer: DLL_64 set to Injection_x64.dll from package modules.packages.Injection
2020-01-14 13:29:25,591 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ORDER810.EXE" with arguments "" with pid 1748
2020-01-14 13:29:25,591 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:29:25,605 [lib.api.process] INFO: 32-bit DLL to inject is C:\pmmyqife\dll\IrXttp.dll, loader C:\pmmyqife\bin\BxMxHkb.exe
2020-01-14 13:29:25,668 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JZwjuhHprv.
2020-01-14 13:29:25,700 [root] DEBUG: Loader: Injecting process 1748 (thread 2008) with C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:25,700 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:29:25,716 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:25,730 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:29:25,730 [root] DEBUG: Successfully injected DLL C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:25,730 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1748
2020-01-14 13:29:27,743 [lib.api.process] INFO: Successfully resumed process with pid 1748
2020-01-14 13:29:27,743 [root] INFO: Added new process to list with pid: 1748
2020-01-14 13:29:27,836 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:29:27,836 [root] DEBUG: Process dumps disabled.
2020-01-14 13:29:27,900 [root] INFO: Disabling sleep skipping.
2020-01-14 13:29:27,900 [root] INFO: Disabling sleep skipping.
2020-01-14 13:29:27,900 [root] INFO: Disabling sleep skipping.
2020-01-14 13:29:27,914 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:29:27,914 [root] INFO: Disabling sleep skipping.
2020-01-14 13:29:27,930 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 1748 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:29:27,930 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ORDER810.EXE".
2020-01-14 13:29:27,930 [root] INFO: Monitor successfully loaded in process with pid 1748.
2020-01-14 13:29:27,930 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x03AA0000 to global list ().
2020-01-14 13:29:28,009 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-01-14 13:29:28,118 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x100 amd local view 0x003E0000 to global list (\Sessions\1\BaseNamedObjects\CTF.AsmListCache.FMPDefault1).
2020-01-14 13:29:28,196 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x003F0000 for section view with handle 0x100 (\Sessions\1\BaseNamedObjects\CTF.AsmListCache.FMPDefault1).
2020-01-14 13:29:28,226 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x04390000 for section view with handle 0x100 (\Sessions\1\BaseNamedObjects\CTF.AsmListCache.FMPDefault1).
2020-01-14 13:29:32,923 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:29:34,934 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c amd local view 0x75B20000 to global list (\KnownDlls32\SHELL32.dll).
2020-01-14 13:29:34,934 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-01-14 13:29:35,059 [root] INFO: Announced 32-bit process name: ORDER810.EXE pid: 2260
2020-01-14 13:29:35,059 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:29:35,059 [lib.api.process] INFO: 32-bit DLL to inject is C:\pmmyqife\dll\IrXttp.dll, loader C:\pmmyqife\bin\BxMxHkb.exe
2020-01-14 13:29:35,075 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JZwjuhHprv.
2020-01-14 13:29:35,075 [root] DEBUG: Loader: Injecting process 2260 (thread 1864) with C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,075 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:29:35,075 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,075 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:29:35,075 [root] DEBUG: Successfully injected DLL C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,075 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2260
2020-01-14 13:29:35,075 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-01-14 13:29:35,091 [root] DEBUG: DLL unloaded from 0x00400000.
2020-01-14 13:29:35,091 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2260, ImageBase: 0x00400000
2020-01-14 13:29:35,091 [root] INFO: Announced 32-bit process name: ORDER810.EXE pid: 2260
2020-01-14 13:29:35,091 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:29:35,091 [lib.api.process] INFO: 32-bit DLL to inject is C:\pmmyqife\dll\IrXttp.dll, loader C:\pmmyqife\bin\BxMxHkb.exe
2020-01-14 13:29:35,091 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JZwjuhHprv.
2020-01-14 13:29:35,107 [root] DEBUG: Loader: Injecting process 2260 (thread 1864) with C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,107 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:29:35,107 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,107 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:29:35,107 [root] DEBUG: Successfully injected DLL C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,107 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2260
2020-01-14 13:29:35,107 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0001974F (process 2260).
2020-01-14 13:29:35,107 [root] INFO: Announced 32-bit process name: ORDER810.EXE pid: 2260
2020-01-14 13:29:35,107 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:29:35,107 [lib.api.process] INFO: 32-bit DLL to inject is C:\pmmyqife\dll\IrXttp.dll, loader C:\pmmyqife\bin\BxMxHkb.exe
2020-01-14 13:29:35,107 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\JZwjuhHprv.
2020-01-14 13:29:35,107 [root] DEBUG: Loader: Injecting process 2260 (thread 1864) with C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,107 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:29:35,107 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x0041974F)
2020-01-14 13:29:35,121 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,121 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:29:35,121 [root] DEBUG: Successfully injected DLL C:\pmmyqife\dll\IrXttp.dll.
2020-01-14 13:29:35,121 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2260
2020-01-14 13:29:35,121 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2260, image base 0x00400000.
2020-01-14 13:29:35,121 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:29:35,121 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001974F.
2020-01-14 13:29:35,138 [root] INFO: Added new CAPE file to list with path: C:\egNbWpEzRR\CAPE\1748_12015339043591514212020
2020-01-14 13:29:35,138 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x92600.
2020-01-14 13:29:35,138 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-01-14 13:29:35,138 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2260.
2020-01-14 13:29:35,138 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2260.
2020-01-14 13:29:35,154 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:29:35,154 [root] DEBUG: Process dumps disabled.
2020-01-14 13:29:35,154 [root] INFO: Disabling sleep skipping.
2020-01-14 13:29:35,154 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:29:35,154 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2260 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:29:35,168 [root] INFO: Notified of termination of process with pid 1748.
2020-01-14 13:29:35,168 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ORDER810.EXE".
2020-01-14 13:29:35,184 [root] INFO: Added new process to list with pid: 2260
2020-01-14 13:29:35,184 [root] INFO: Monitor successfully loaded in process with pid 2260.
2020-01-14 13:29:35,184 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x03A30000 to global list ().
2020-01-14 13:29:51,081 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:29:53,108 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd8 amd local view 0x75B20000 to global list (\KnownDlls32\SHELL32.dll).
2020-01-14 13:29:53,108 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-01-14 13:29:56,697 [root] DEBUG: DLL unloaded from 0x75700000.
2020-01-14 13:29:56,697 [root] INFO: Notified of termination of process with pid 2260.
2020-01-14 13:30:01,875 [root] INFO: Process list is empty, terminating analysis.
2020-01-14 13:30:02,905 [root] INFO: Created shutdown mutex.
2020-01-14 13:30:03,950 [root] INFO: Shutting down package.
2020-01-14 13:30:03,950 [root] INFO: Stopping auxiliary modules.
2020-01-14 13:30:03,950 [root] INFO: Finishing auxiliary modules.
2020-01-14 13:30:03,967 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-01-14 13:30:03,967 [root] WARNING: File at path "C:\egNbWpEzRR\debugger" does not exist, skip.
2020-01-14 13:30:03,967 [root] INFO: Analysis completed.

MalScore

9.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2020-01-14 13:29:22 2020-01-14 13:30:28

File Details

File Name ORDER810.EXE
File Size 614400 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b1bb6cf34adfc3e3fd4a7f9abe11b349
SHA1 a45ac69507d541eebab284ab0c2e5876baf41920
SHA256 9d66c985e0552ffc3eccdc20557921ce2c1df6dd6a66fb5b7f325acdad92de17
SHA512 a0ecd35693776dd7a59375f2cd832c8c0b26f18b30e6d7a7e46b69485e518d7815bab24acda364ed0ac7d233a29641d2d04e43349a352ff479d5adf23f92eb0a
CRC32 01F4B414
Ssdeep 12288:bW4qenezeBl0IFXGbcFX+QSrRKB5lFz0p:bWS0IFXGbMOLR6NzY
TrID
  • 88.6% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
  • 4.8% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.1% (.EXE) OS/2 Executable (generic) (2029/13)
  • 2.1% (.EXE) Generic Win/DOS Executable (2002/3)
  • 2.1% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
NtSetInformationThread: attempt to hide thread from debugger
Possible date expiration check, exits too soon after checking local time
process: ORDER810.EXE, PID 1748
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgUiRemoteBreakin
DynamicLoader: ntdll.dll/NtSetInformationThread
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgUiRemoteBreakin
DynamicLoader: ntdll.dll/NtSetInformationThread
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/TerminateThread
CAPE extracted potentially suspicious content
ORDER810.EXE: Injected PE Image: 32-bit executable
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 6.90, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00093000, virtual_size: 0x00092188
Behavioural detection: Injection (Process Hollowing)
Injection: ORDER810.EXE(1748) -> ORDER810.EXE(2260)
Executed a process and injected code into it, probably while unpacking
Injection: ORDER810.EXE(1748) -> ORDER810.EXE(2260)

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\ORDER810.EXE.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\ntdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ORDER810.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xef\x90\xb0\xc8\xabEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xef\x90\xb0\xc8\xabEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetTextExtentExPointWPri
kernel32.dll.GetTickCount
kernel32.dll.Sleep
kernel32.dll.TerminateProcess
user32.dll.EnumWindows
kernel32.dll.SetErrorMode
kernel32.dll.SetLastError
kernel32.dll.CloseHandle
shell32.dll.ShellExecuteW
kernel32.dll.WriteFile
kernel32.dll.CreateFileW
kernel32.dll.VirtualProtectEx
kernel32.dll.CreateProcessInternalW
kernel32.dll.GetTempPathW
kernel32.dll.GetLongPathNameW
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.ExitThread
kernel32.dll.GetCurrentThread
ntdll.dll.NtProtectVirtualMemory
ntdll.dll.DbgBreakPoint
ntdll.dll.DbgUiRemoteBreakin
ntdll.dll.NtSetInformationThread
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.NtGetContextThread
ntdll.dll.NtSetContextThread
user32.dll.GetCursorPos
ntdll.dll.NtResumeThread
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetStartupInfoW
kernel32.dll.CreateThread
kernel32.dll.TerminateThread
"C:\Users\user\AppData\Local\Temp\ORDER810.EXE"
Local\MSCTF.Asm.MutexDefault1

PE Information

Image Base 0x00400000
Entry Point 0x0040121c
Reported Checksum 0x0009f053
Actual Checksum 0x0009f053
Minimum OS Version 4.0
Compile Time 2010-02-17 02:43:30
Import Hash 7c3b82b09e0cf2b57d34b2cd8ba52288

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00092188 0x00093000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.90
.data 0x00094000 0x000009f0 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00095000 0x000008c0 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.91

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 _adj_fdiv_m64
0x40100c _adj_fprem1
0x401014 _adj_fdiv_m32
0x401018 __vbaObjSet
0x40101c _adj_fdiv_m16i
0x401020 _adj_fdivr_m16i
0x401024 _CIsin
0x401028 __vbaChkstk
0x40102c EVENT_SINK_AddRef
0x401030 _adj_fpatan
0x401034 EVENT_SINK_Release
0x401038 _CIsqrt
0x401040 __vbaExceptHandler
0x401044 _adj_fprem
0x401048 _adj_fdivr_m64
0x40104c __vbaI2Str
0x401050 __vbaFPException
0x401054 _CIlog
0x401058 _adj_fdiv_m32i
0x40105c _adj_fdivr_m32i
0x401060 __vbaI4Str
0x401064 _adj_fdivr_m32
0x401068 _adj_fdiv_r
0x40106c None
0x401070 None
0x401074 _CIatan
0x401078 _allmul
0x40107c _CItan
0x401080 _CIexp
0x401084 __vbaFreeObj

.text
`.data
.rsrc
MSVBVM60.DLL
@x"]A
CagillERMALL7
GOLDBEACHSkycolored
GOLDBEACHArytenoepiglottic8
GOLDBEACHArytenoepiglottic8
GOLDBEACHLEAFER
GOLDBEACHSORBOSIDE
wwxwp
{[PILl
$4=Eg
-9BEY
y]?@]w
"/=DEP
9BEEv
*5BEEX
*>OWi
tE4:KWo
!,<DEG}
-5BEHv
%4?EGk
!0=DGx
*9CHy
%*(1xvh
v.RRRRRO,:
v2RRRRRRJ0
v/RRRRRRP>W
v0RRRRRRRP3n
v0RRRRRRRRL;
v2RRRRRRRRR;{
t.RRRRRRRRREJ
u)PRRRRRRRRO4
t%POF?GQRRRR9s
+JRRRJC
FRRP/
FRRCY
%OR>^
_CRM3
,QP<w
%OR?Y
#MP=_
`^OEB94HV
*NRG:
9OQBJ
K&$/5=DE6[
BPPB]
*&6=>CEEJA=
'HRQ9]
=!45=BBDGH3`
!/JRO6d
*/59ABBEE)
!#"/HRO9o
").45;?>BA=
&%"/LRM4o
"(-059;>>/b
(((:MRM2q
&*-067:9$
"1MJ=
#"+--9MRM9f
!%*-/15*D
#'*BOCC
%2//:NRM6d
)**0HQ=Z
%543?MQM6a
!$%)!?
!**,7KP=d
(#454:JPQCJ
%-04=MO9`
,66:CNO6a
4647GQRL9N
4:=?DNO=[
0614CORQH=\
4?>BGOPC:a
3BDDHORNB;a
-BG,J
4DIKLNQRROJ=94**2B9*$*?LPQQOLHCCEKNOD$\
&'-6]
**+?^v
AAA_CCD
,=<==AEIKKLNNNK=;59E
;==;.&$$&&(,15;EFIIE;14E
;1,&$'4I1.4
KWWWW!
EYWTE
!,5=A
<;<==6
1==F;
11(""%%)14;4))4
1,(0(
DDD_LLM
z{zccc
(((434ZZZ
@@@<<<666<<<IIJfff
%%%000:::xxx
kklNNO:::334???___
"""-,,777AA@
___JJ_@@AEEEggg
***444<==OOO
666[[[
&&&111:::AAAkkk
+++SSS
+++555>>>BBBVVV
vvvQQQ;;;===OOOooo
222WWW
(((222;;;AAABBB{_{
$$$///999@@@BBBKKK
!!!--,666>>>BBBB_B{{{
)))443<<<AAABBBVVV
NZZZppp
%%&000:::@@@B_BJJJ
qqq;;;///777HHHYYYsss
++*554===A_ACCCnnn
'''222;;;@@@DDDjjj
$$#///999@_@EEEwww
,++655>>>HHH{{{
DDDsss
NNNXXX
EEEopoiii
kkk~~~
vvviii
wxwddd
lmluuu
}}}xxx
\\]--.PPOOOOOOJOOOOOONNN,,-555
UUV..0PPOOOOOOOOOOOOOOOOGGG--.
UUV..0PPOOOJOOOOOOOOOOOOOOO<<=FFG
UUV..0PPOOOOOOOOOOOOOOOOOOONNN//1qqq
UUU../PPJOOOOOOOOOOOOOOOOOOOOOIIJ778
UUV../OOOOOOOOOOOOOOOOOOOOOOOOOOO667~~~
```++JOOOOOOOOOOOOOOOOOOOOOOOOPPOBBCBBC
iij&&)OOOOOOOOOPPPOOOOOOOOOOOOOOOMML--.
jjJ&&'OOOMMMAAB::;DDENNNOOOOOOOOOOOO556ggh
++,HHHOOOOOOOOOFFG445
BBCOOOOOONNN--.
BBCOOOOOO>>?IIJ
GGHOOOKKL002
%%&MMMOOO<<=]]^
??@OOOKKL,,-
KKLOOO;;<IIJ
446OOONNN//0{{|
GGHOOOEEF334
,+,NNNOOO667nno
AABPPPKLK001
%%'MMMPPO;;;PPP
889OOOMMM.-/
CCDOOPEEF445
%%&KKLOOO878]]]
889OOOMMM335
~~~yyy
CCDOOPHHH002
ccccdcMMM@A@<=<777121CCCXXX
))*KKLPPPCCD223
III@@@TTT
667NNNOOO>>?BBB
CCC"""###---555:::???@@@222NNN
==>JJJ112
>>?OOOOOO<<=HHI
'''333888<<<???BBBEEEFFF===888
//0NNN//0
''(EEFOOONNN446SSS
333!!!000444888<<<???BBBEEDFFF111aaa
""#JJJ??@NNN
!!!!!!,-.GGGOOOMMM113ccd
***///333777;::>>>AAACCBCCC'''
>>?MMN001
###$$$$$%..0FFHOOOLLM445vvv
###***...222666998;;;>>>@@@<<<555
//0NNN>>?JJK
'''''''''113IIJOOOKKL112xxx
$$$(((,,,///333666999;;;===///aaa
$$%CCDMMM224
*+****+**667JJKOOOJJJ//0xxJ
"""%&&)))---000333565777777%%%
!!!"##//0KKKEEF889
###...------668JJKOOOKKK556iij
###&&&*)),,,///121333)))===
##$%%%(((;;<NNN==>==?
&&&010///.//779KKLOOJLLM224aab
%%%((()))///EEEOOO99:LLM
&&&211111001::<KKKOOOLLM224UUV
"""%%%''')))###555
!!!)**,,,...555HHINNO88:aab
$##32333322J778GGIOOONNN==>??A
'''/./010222::;KKLNNN445___
333443211446EEGOOOOOOBBC112uuv
---233454666>>?LLLMMM335]]^
J111444111444DDENNNPOOJJJ335JJK
000766988:::@@ALLMMMN889RRS
///333111112>>@MMMOOOOOODDF667RRS
((* "ggg
322:::<<<=>=CDDMMNNNN==>445[[\
..0--/EEE
222===?@?AAAFFGMMMOOOLLL==>666ZZ[
99;556::;
*)+>>>EEF++,AAB
222BBBFFFGGHIIJKKLNNNOOOOOPNNNGGH;;<555000((*((*//1==>557))*##$**,::<IIJNNNOOOOOONNNJJKEEF@@A@@@AABHHHMMMMMN??@##$MMM
$$%%%&$$&../QQQ
!!"))(;;;OOOggg
+++iii
ggg"##<<<
666LLL
...AAA
fff
&&&jkj
VVVPPPPPP>>>
TTUPPOPPPLLM
WWWPPPPPPPPPCCD
YYZ556))*KKKJJK
JJKdde
>>?VVW
001DDD
EEFffg
jkjbcbjkj
JJJ+++777SSS
112GGH
>>>222;;;CCCmmm
223XXX
[[[&&&889GGG
CCC""",-,555777
&&&CCD~~~
PPP...<<=HHI
$$$+++:::
$$$445EEF
ccc...::;JJKggh
~~~/..>>?GGGuuu
""#223TTU
<<<667>>>???999445777445444889BBC[[[
iii'''222
333;;;
%%%{{{
+++<<<
"""&&&###***efe
BBBPPQ
FFFNNNGGH
666FFG$$$UUV
555000
999556ccc
111888:::
&&&SST
999===dee
((( ,,,iii
JJJ:::``a
GGG<<=TTT
TTT!!!)))OPO
---uuu
}}}889
LLMuuu==>nno+++>>?
GOLDBEACHGAUCHEST3
GOLDBEACHkumyk7
GOLDBEACHBALROG1
GOLDBEACHMYGALID5
GOLDBEACHslagger
GOLDBEACHunpausing
GOLDBEACHTHRENETIC
GOLDBEACHimpent
GOLDBEACHendocorpuscular
Aif+;
`G{'k
LGN6/|d
WFbgp
~'l-J]
WI"/~
,tYG!
/X1K5.
dgDh O
y^M*a
\G.b`
m.\F+
X=j`geU
4Ex0v
1^If]G
]gx{b
eCcir
ad]b5
(]k{z
Bx]'C
QnfhjV
(:TK5
[2WUX/`
l]e?x5
j;:*[3
C{Q]g
n$?uk
*_r[u
qI.9\
M,onZ
DBSe?~
QO_"^
*4Fn>
N~Q&h
2Fske
=N;5N
;t.;+
d1^WW
elX>D4X
(_11N\
l'v%3
<fDtOm
klgyi
f\FS /zb
Y;ngM
}O3w(
xg$K8
:czP3ah$
#$P^;^J
:IQn4@O"
ZIYAGC
a`f$p
`1w$F
0pUX[
w?e]4`
<N}E6#S21
^7+mR
{>/}Z>
qLGJqN
$6gyB
Hx-qR
K5<Br
]Y!98
T9VId
?hUCg
SId}~
l7Fr`
V'yAI
~!*]L
FLdcZx
byB9#
xU_qu
{UrL
xa.86
`(\3E
'%!N5I
Flv`?
k@Wzz
x`HWDV+
8mlik
':`rs
j%r^m
f)5b'A
oL\^)
Q|qn:
M%h1~E6UG
5:]+h
`T-!k
Y*lHu
*Hr6\
CroAT[
KBM$@
4NeWwFE?
VB5!6&*
FRyou
gillERMALL8
gillERMALL7
gillERMALL7
GOLDBEACHSkycolored
GOLDBEACHGAUCHEST3
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
GOLDBEACHTHRENETIC
GOLDBEACHslagger
GOLDBEACHLEAFER
GOLDBEACHBALROG1
GOLDBEACHendocorpuscular
GOLDBEACHSkycolored3
VBA6.DLL
__vbaFreeObj
__vbaObjSet
__vbaI2Str
__vbaI4Str
__vbaHresultCheckObj
MSVBVM60.DLL
_CIcos
_adj_fptan
_adj_fdiv_m64
_adj_fprem1
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
_adj_fpatan
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaI2Str
__vbaFPException
_CIlog
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaI4Str
_adj_fdivr_m32
_adj_fdiv_r
_CIatan
_allmul
_CItan
_CIexp
__vbaFreeObj
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
Comments
cibero
ProductName
gillERMALL8
FileVersion
ProductVersion
InternalName
FRyou
OriginalFilename
FRyou.exe
This file is not on VirusTotal.

Process Tree


ORDER810.EXE, PID: 1748, Parent PID: 2644
Full Path: C:\Users\user\AppData\Local\Temp\ORDER810.EXE
Command Line: "C:\Users\user\AppData\Local\Temp\ORDER810.EXE"
ORDER810.EXE, PID: 2260, Parent PID: 1748
Full Path: C:\Users\user\AppData\Local\Temp\ORDER810.EXE
Command Line: "C:\Users\user\AppData\Local\Temp\ORDER810.EXE"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Injected PE Image: 32-bit executable
Size 599552 bytes
Target Process ORDER810.EXE
Target PID 2260
Target Path C:\Users\user\AppData\Local\Temp\ORDER810.EXE
Injecting Process ORDER810.EXE
Injecting PID 1748
Path C:\Users\user\AppData\Local\Temp\ORDER810.EXE
MD5 1cf232caf71c6a09b4fa009a1582ec5b
SHA1 df315c5cf7e50a2e2b50f58808889d9730a0a48e
SHA256 4e8b7ddf2c47af33c80a41406f1238eb2fa243a4e7dab98e86b5d495377914f7
CRC32 4184E912
Ssdeep 12288:jW4qenezeBl0IFXGbcFX+QSrRKB5lFz0p:jWS0IFXGbMOLR6NzY
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 1.483 seconds )

  • 0.532 CAPE
  • 0.407 Static
  • 0.274 TargetInfo
  • 0.115 TrID
  • 0.074 BehaviorAnalysis
  • 0.037 Strings
  • 0.03 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.07 seconds )

  • 0.011 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 infostealer_ftp
  • 0.003 antidbg_windows
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 NewtWire Behavior
  • 0.002 api_spamming
  • 0.002 decoy_document
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 malicious_dynamic_function_loading
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 antiemu_wine_func
  • 0.001 betabot_behavior
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 121532
Mongo ID 5e1dd9a6a21c7f1a1b47ace8
Cuckoo release 1.3-CAPE
Delete