Loading ...

Play interactive tourEdit tour

Analysis Report ORDER LIST_PDF.exe

Overview

General Information

Sample Name:ORDER LIST_PDF.exe
Analysis ID:286384
MD5:b8977f0dbeb3062d7172c2b739f37f4c
SHA1:5311fb7332c54f2ef9618da5fe7d2e45537082af
SHA256:e70c09c47308a13acff17e7e73ae9d2f0d8f697c1e1cf7d02ab786435c0d0d07
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • ORDER LIST_PDF.exe (PID: 6036 cmdline: 'C:\Users\user\Desktop\ORDER LIST_PDF.exe' MD5: B8977F0DBEB3062D7172C2B739F37F4C)
    • schtasks.exe (PID: 1484 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBE2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wNanO.exe (PID: 996 cmdline: 'C:\Users\user\AppData\Roaming\wNanO\wNanO.exe' MD5: B8977F0DBEB3062D7172C2B739F37F4C)
    • schtasks.exe (PID: 5464 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmp4047.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wNanO.exe (PID: 1784 cmdline: {path} MD5: B8977F0DBEB3062D7172C2B739F37F4C)
  • wNanO.exe (PID: 5460 cmdline: 'C:\Users\user\AppData\Roaming\wNanO\wNanO.exe' MD5: B8977F0DBEB3062D7172C2B739F37F4C)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "cC0HI5gjG3", "URL: ": "http://xStCKv2M62Eiir94.org", "To: ": "Installation@pwmtdubai.com", "ByHost: ": "mail.pwmtdubai.com:587", "Password: ": "CGwdGIidopbl", "From: ": "Installation@pwmtdubai.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.271353269.0000000003538000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000E.00000002.449212894.0000000002FCE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.449212894.0000000002FCE000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.444837207.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.ORDER LIST_PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              14.2.wNanO.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBE2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBE2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ORDER LIST_PDF.exe' , ParentImage: C:\Users\user\Desktop\ORDER LIST_PDF.exe, ParentProcessId: 6036, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBE2.tmp', ProcessId: 1484

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: ORDER LIST_PDF.exe.1196.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "cC0HI5gjG3", "URL: ": "http://xStCKv2M62Eiir94.org", "To: ": "Installation@pwmtdubai.com", "ByHost: ": "mail.pwmtdubai.com:587", "Password: ": "CGwdGIidopbl", "From: ": "Installation@pwmtdubai.com"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\hNxvspXFyZv.exeVirustotal: Detection: 30%Perma Link
                Source: C:\Users\user\AppData\Roaming\hNxvspXFyZv.exeReversingLabs: Detection: 31%
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeVirustotal: Detection: 30%Perma Link
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeReversingLabs: Detection: 31%
                Multi AV Scanner detection for submitted fileShow sources
                Source: ORDER LIST_PDF.exeVirustotal: Detection: 30%Perma Link
                Source: ORDER LIST_PDF.exeReversingLabs: Detection: 31%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\hNxvspXFyZv.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: ORDER LIST_PDF.exeJoe Sandbox ML: detected
                Source: 3.2.ORDER LIST_PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 14.2.wNanO.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.241.219.86:587
                Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                Source: global trafficTCP traffic: 192.168.2.5:49721 -> 162.241.219.86:587
                Source: unknownDNS traffic detected: queries for: mail.pwmtdubai.com
                Source: ORDER LIST_PDF.exe, 00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmp, ORDER LIST_PDF.exe, 00000003.00000002.444837207.0000000000402000.00000040.00000001.sdmp, wNanO.exe, 00000009.00000002.271353269.0000000003538000.00000004.00000001.sdmp, wNanO.exe, 0000000E.00000002.444852624.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://127.0.0.1:
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmp, wNanO.exe, 0000000E.00000002.454653544.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmp, wNanO.exe, 0000000E.00000002.454653544.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmp, wNanO.exe, 0000000E.00000002.454653544.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmp, wNanO.exe, 0000000E.00000002.454653544.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.cL-
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmp, wNanO.exe, 0000000E.00000002.454653544.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmp, wNanO.exe, 0000000E.00000002.454653544.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                Source: ORDER LIST_PDF.exe, 00000003.00000002.449407177.0000000002F30000.00000004.00000001.sdmp, wNanO.exe, 0000000E.00000002.449895745.000000000312C000.00000004.00000001.sdmpString found in binary or memory: http://mail.pwmtdubai.com
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447601978.00000000012B2000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.k.
                Source: ORDER LIST_PDF.exe, 00000003.00000002.448186431.0000000001375000.00000004.00000020.sdmp, wNanO.exe, 0000000E.00000002.454653544.00000000066B0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                Source: ORDER LIST_PDF.exe, 00000000.00000002.209327650.0000000002C91000.00000004.00000001.sdmp, wNanO.exe, 00000009.00000002.268920327.0000000002A26000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: ORDER LIST_PDF.exe, 00000000.00000002.209327650.0000000002C91000.00000004.00000001.sdmp, wNanO.exe, 00000009.00000002.266052898.00000000024E1000.00000004.00000001.sdmp, wNanO.exe, 0000000C.00000002.270307107.0000000002531000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: ORDER LIST_PDF.exe, 00000000.00000003.180198557.0000000005BDE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: ORDER LIST_PDF.exe, 00000000.00000003.180120344.0000000005BAE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                Source: ORDER LIST_PDF.exe, 00000000.00000003.180198557.0000000005BDE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comH
                Source: ORDER LIST_PDF.exe, 00000000.00000003.180198557.0000000005BDE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC6IC
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: ORDER LIST_PDF.exe, 00000000.00000003.180198557.0000000005BDE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.bH
                Source: ORDER LIST_PDF.exe, 00000000.00000003.182376759.0000000005BA4000.00000004.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: ORDER LIST_PDF.exe, 00000000.00000003.207664955.0000000005BA0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comas
                Source: ORDER LIST_PDF.exe, 00000000.00000003.178162281.0000000005BBB000.00000004.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: ORDER LIST_PDF.exe, 00000000.00000003.178162281.0000000005BBB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                Source: ORDER LIST_PDF.exe, 00000000.00000003.178116344.0000000005BBB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
                Source: ORDER LIST_PDF.exe, 00000000.00000003.179393223.0000000005BAD000.00000004.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: ORDER LIST_PDF.exe, 00000000.00000002.209231777.0000000001487000.00000004.00000040.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm-
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Cursa
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0p
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: ORDER LIST_PDF.exe, 00000000.00000003.181447278.0000000005BA9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/~
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: ORDER LIST_PDF.exe, 00000000.00000003.179809838.0000000005BA2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coml-g
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: ORDER LIST_PDF.exe, 00000000.00000002.217764273.0000000005C90000.00000002.00000001.sdmp, wNanO.exe, 00000009.00000002.277393082.00000000054A0000.00000002.00000001.sdmp, wNanO.exe, 0000000C.00000002.279822586.00000000055E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: ORDER LIST_PDF.exe, 00000000.00000003.180075958.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnH
                Source: ORDER LIST_PDF.exe, 00000000.00000003.180075958.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna-dMH
                Source: wNanO.exe, 0000000E.00000002.450004330.0000000003155000.00000004.00000001.sdmpString found in binary or memory: http://xStCKv2M62Eiir94.org
                Source: wNanO.exe, 0000000E.00000002.449212894.0000000002FCE000.00000004.00000001.sdmpString found in binary or memory: http://xStCKv2M62Eiir94.orgX
                Source: ORDER LIST_PDF.exe, 00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmp, ORDER LIST_PDF.exe, 00000003.00000002.444837207.0000000000402000.00000040.00000001.sdmp, wNanO.exe, 00000009.00000002.271353269.0000000003538000.00000004.00000001.sdmp, wNanO.exe, 0000000E.00000002.444852624.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: ORDER LIST_PDF.exe, 00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmp, ORDER LIST_PDF.exe, 00000003.00000002.444837207.0000000000402000.00000040.00000001.sdmp, wNanO.exe, 00000009.00000002.271353269.0000000003538000.00000004.00000001.sdmp, wNanO.exe, 0000000E.00000002.444852624.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: ORDER LIST_PDF.exe, 00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmp, ORDER LIST_PDF.exe, 00000003.00000002.444837207.0000000000402000.00000040.00000001.sdmp, wNanO.exe, 00000009.00000002.271353269.0000000003538000.00000004.00000001.sdmp, wNanO.exe, 0000000E.00000002.444852624.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U
                Source: ORDER LIST_PDF.exe, 00000000.00000002.209041766.0000000001099000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: ORDER LIST_PDF.exe
                Source: initial sampleStatic PE information: Filename: ORDER LIST_PDF.exe
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_008C3BE10_2_008C3BE1
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_008C3CB00_2_008C3CB0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_0106E4480_2_0106E448
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_0106E4580_2_0106E458
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_0106B7FC0_2_0106B7FC
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D8F000_2_073D8F00
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D55C00_2_073D55C0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D64820_2_073D6482
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073DBB080_2_073DBB08
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D38100_2_073D3810
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D68780_2_073D6878
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D50A80_2_073D50A8
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D47780_2_073D4778
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D06F00_2_073D06F0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D06E00_2_073D06E0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D55B00_2_073D55B0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D04F00_2_073D04F0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D04E00_2_073D04E0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D3B000_2_073D3B00
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D02780_2_073D0278
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D02680_2_073D0268
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D92600_2_073D9260
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D9A400_2_073D9A40
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D12B00_2_073D12B0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D41180_2_073D4118
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D11F80_2_073D11F8
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D00060_2_073D0006
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D38000_2_073D3800
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D00400_2_073D0040
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D509A0_2_073D509A
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D40D00_2_073D40D0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_00B03CB03_2_00B03CB0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_00B03BE13_2_00B03BE1
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0151A0803_2_0151A080
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0151A3C83_2_0151A3C8
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0151CC583_2_0151CC58
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0151AC983_2_0151AC98
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_015110CA3_2_015110CA
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_057587143_2_05758714
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_057547F03_2_057547F0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0575D0683_2_0575D068
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_05756FD63_2_05756FD6
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_05757B003_2_05757B00
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0575C44E3_2_0575C44E
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_057547E03_2_057547E0
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0575C0783_2_0575C078
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0575D0593_2_0575D059
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_0575C3DA3_2_0575C3DA
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_05758BD23_2_05758BD2
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_05757AF23_2_05757AF2
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_000A3BE19_2_000A3BE1
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_000A3CB09_2_000A3CB0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_022FE4489_2_022FE448
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_022FE4589_2_022FE458
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_022FB7FC9_2_022FB7FC
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A18F009_2_06A18F00
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A197509_2_06A19750
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A155C09_2_06A155C0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A162829_2_06A16282
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A150A89_2_06A150A8
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A138109_2_06A13810
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A168789_2_06A16878
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A1DEA09_2_06A1DEA0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A106E09_2_06A106E0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A106F09_2_06A106F0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A18EF09_2_06A18EF0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A147789_2_06A14778
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A194999_2_06A19499
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A104E09_2_06A104E0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A104F09_2_06A104F0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A19C599_2_06A19C59
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A155B09_2_06A155B0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A18D6A9_2_06A18D6A
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A112B09_2_06A112B0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A19A309_2_06A19A30
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A192609_2_06A19260
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A102689_2_06A10268
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A102789_2_06A10278
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A19A409_2_06A19A40
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A192519_2_06A19251
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A13B009_2_06A13B00
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A1509A9_2_06A1509A
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A140D09_2_06A140D0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A138009_2_06A13800
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A100409_2_06A10040
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A111F89_2_06A111F8
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A141189_2_06A14118
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_00163CB012_2_00163CB0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_00163BE112_2_00163BE1
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_00BFE45812_2_00BFE458
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_00BFE44812_2_00BFE448
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_00BFB7FC12_2_00BFB7FC
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_013AA08014_2_013AA080
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_013AA3C814_2_013AA3C8
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_013ACC5814_2_013ACC58
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_013AAC9814_2_013AAC98
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_013A10CA14_2_013A10CA
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_0574871414_2_05748714
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_057447F014_2_057447F0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_0574D06814_2_0574D068
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_05744B6814_2_05744B68
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_05747B0014_2_05747B00
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_0574C44E14_2_0574C44E
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_057447E014_2_057447E0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_0574C07814_2_0574C078
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_0574D05914_2_0574D059
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_0574C3DA14_2_0574C3DA
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_05744B5814_2_05744B58
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_05748BF014_2_05748BF0
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_05747AD014_2_05747AD0
                Source: ORDER LIST_PDF.exeBinary or memory string: OriginalFilename vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameduAntyPYhMBdEXCZUutk.exe4 vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.213384542.0000000003CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSzy.exe( vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.221825905.0000000007670000.00000002.00000001.sdmpBinary or memory string: originalfilename vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.221825905.0000000007670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.209327650.0000000002C91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.222461486.000000000D510000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000000.00000002.209041766.0000000001099000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exeBinary or memory string: OriginalFilename vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.454454028.0000000006560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.454857203.0000000006760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.454515096.0000000006580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.447533934.000000000128A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.444837207.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameduAntyPYhMBdEXCZUutk.exe4 vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.445594026.0000000000F37000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.454227203.0000000006450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSzy.exe( vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exe, 00000003.00000002.452696385.00000000053F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exeBinary or memory string: OriginalFilenameSzy.exe( vs ORDER LIST_PDF.exe
                Source: ORDER LIST_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: hNxvspXFyZv.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: wNanO.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/7@2/1
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile created: C:\Users\user\AppData\Roaming\hNxvspXFyZv.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_01
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeMutant created: \Sessions\1\BaseNamedObjects\zAUzeGlGsebXgabytO
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCBE2.tmpJump to behavior
                Source: ORDER LIST_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: ORDER LIST_PDF.exeVirustotal: Detection: 30%
                Source: ORDER LIST_PDF.exeReversingLabs: Detection: 31%
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile read: C:\Users\user\Desktop\ORDER LIST_PDF.exe:Zone.IdentifierJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\ORDER LIST_PDF.exe 'C:\Users\user\Desktop\ORDER LIST_PDF.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBE2.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\ORDER LIST_PDF.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wNanO\wNanO.exe 'C:\Users\user\AppData\Roaming\wNanO\wNanO.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmp4047.tmp'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wNanO\wNanO.exe 'C:\Users\user\AppData\Roaming\wNanO\wNanO.exe'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wNanO\wNanO.exe {path}
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBE2.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess created: C:\Users\user\Desktop\ORDER LIST_PDF.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmp4047.tmp'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess created: C:\Users\user\AppData\Roaming\wNanO\wNanO.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: ORDER LIST_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: ORDER LIST_PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)Show sources
                Source: ORDER LIST_PDF.exe, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: hNxvspXFyZv.exe.0.dr, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 0.2.ORDER LIST_PDF.exe.8c0000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 0.0.ORDER LIST_PDF.exe.8c0000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: wNanO.exe.3.dr, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 3.2.ORDER LIST_PDF.exe.b00000.1.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 3.0.ORDER LIST_PDF.exe.b00000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 9.0.wNanO.exe.a0000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 9.2.wNanO.exe.a0000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 12.2.wNanO.exe.160000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 12.0.wNanO.exe.160000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 14.2.wNanO.exe.af0000.1.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                Source: 14.0.wNanO.exe.af0000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
                .NET source code contains potential unpackerShow sources
                Source: ORDER LIST_PDF.exe, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: hNxvspXFyZv.exe.0.dr, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.ORDER LIST_PDF.exe.8c0000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.ORDER LIST_PDF.exe.8c0000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: wNanO.exe.3.dr, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.ORDER LIST_PDF.exe.b00000.1.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.0.ORDER LIST_PDF.exe.b00000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 9.0.wNanO.exe.a0000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 9.2.wNanO.exe.a0000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 12.2.wNanO.exe.160000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 12.0.wNanO.exe.160000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.wNanO.exe.af0000.1.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.0.wNanO.exe.af0000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_008C369F push cs; iretd 0_2_008C36E4
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_0106F810 push esp; iretd 0_2_0106F811
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_0106F8E4 pushfd ; iretd 0_2_0106F8E5
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D186F push es; iretd 0_2_073D187D
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 0_2_073D2886 pushfd ; iretd 0_2_073D2887
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeCode function: 3_2_00B0369F push cs; iretd 3_2_00B036E4
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_000A369F push cs; iretd 9_2_000A36E4
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_022FF810 push esp; iretd 9_2_022FF811
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_022FF8E4 pushfd ; iretd 9_2_022FF8E5
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A13616 push es; retf 9_2_06A13640
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A14D88 push es; retf 9_2_06A14D90
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A12886 pushfd ; iretd 9_2_06A12887
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 9_2_06A1186F push es; iretd 9_2_06A1187D
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_0016369F push cs; iretd 12_2_001636E4
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_00BFF8E4 pushfd ; iretd 12_2_00BFF8E5
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 12_2_00BFF810 push esp; iretd 12_2_00BFF811
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeCode function: 14_2_00AF369F push cs; iretd 14_2_00AF36E4
                Source: initial sampleStatic PE information: section name: .text entropy: 7.97938262696
                Source: initial sampleStatic PE information: section name: .text entropy: 7.97938262696
                Source: initial sampleStatic PE information: section name: .text entropy: 7.97938262696
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile created: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeJump to dropped file
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile created: C:\Users\user\AppData\Roaming\hNxvspXFyZv.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hNxvspXFyZv' /XML 'C:\Users\user\AppData\Local\Temp\tmpCBE2.tmp'
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wNanOJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wNanOJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeFile opened: C:\Users\user\AppData\Roaming\wNanO\wNanO.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ORDER LIST_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wNanO\wNanO.exeProcess information set: