Loading ...

Play interactive tourEdit tour

Analysis Report New Order #442-173.exe

Overview

General Information

Sample Name:New Order #442-173.exe
Analysis ID:286588
MD5:52ede7945a0446ae5442b95c405b8e29
SHA1:b06959345182f5a2cc287f5d386ff9246e8cab14
SHA256:e92f8fb4f206c2ebf57c7e2db8e28efe3d8580b61c70de8463fbfc0967542b67
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.402534914.0000000003CFB000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Process Memory Space: New Order #442-173.exe PID: 6000JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: New Order #442-173.exeVirustotal: Detection: 45%Perma Link
      Source: New Order #442-173.exeReversingLabs: Detection: 37%
      Machine Learning detection for sampleShow sources
      Source: New Order #442-173.exeJoe Sandbox ML: detected
      Source: global trafficTCP traffic: 192.168.2.3:49745 -> 77.88.21.158:587
      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
      Source: global trafficTCP traffic: 192.168.2.3:49745 -> 77.88.21.158:587
      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
      Source: New Order #442-173.exe, 00000002.00000003.485613757.0000000000C74000.00000004.00000001.sdmpString found in binary or memory: http://SdUGWBS2nUF.org
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: New Order #442-173.exe, 00000000.00000002.399067429.0000000002CA1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: New Order #442-173.exe, 00000000.00000002.407829555.0000000005C20000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

      System Summary:

      barindex
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: New Order #442-173.exe
      Source: C:\Users\user\Desktop\New Order #442-173.exeCode function: 0_2_00893BE10_2_00893BE1
      Source: C:\Users\user\Desktop\New Order #442-173.exeCode function: 0_2_0122E4480_2_0122E448
      Source: C:\Users\user\Desktop\New Order #442-173.exeCode function: 0_2_0122E4580_2_0122E458
      Source: C:\Users\user\Desktop\New Order #442-173.exeCode function: 0_2_0122B7FC0_2_0122B7FC
      Source: New Order #442-173.exeBinary or memory string: OriginalFilename vs New Order #442-173.exe
      Source: New Order #442-173.exe, 00000000.00000002.412709927.0000000007130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order #442-173.exe
      Source: New Order #442-173.exe, 00000000.00000002.399067429.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs New Order #442-173.exe
      Source: New Order #442-173.exe, 00000000.00000002.412962010.0000000007350000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs New Order #442-173.exe
      Source: New Order #442-173.exe, 00000000.00000002.399194685.0000000002CEE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOTFObgAmYzSmylDQVdcZZZSbQhUQshyeLcloGs.exe4 vs New Order #442-173.exe
      Source: New Order #442-173.exeBinary or memory string: OriginalFilenameBkW.exe( vs New Order #442-173.exe
      Source: New Order #442-173.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
      Source: C:\Users\user\Desktop\New Order #442-173.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order #442-173.exe.logJump to behavior
      Source: New Order #442-173.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\New Order #442-173.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\New Order #442-173.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\New Order #442-173.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: New Order #442-173.exeVirustotal: Detection: 45%
      Source: New Order #442-173.exeReversingLabs: Detection: 37%
      Source: C:\Users\user\Desktop\New Order #442-173.exeFile read: C:\Users\user\Desktop\New Order #442-173.exe:Zone.IdentifierJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\New Order #442-173.exe 'C:\Users\user\Desktop\New Order #442-173.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\New Order #442-173.exe {path}
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess created: C:\Users\user\Desktop\New Order #442-173.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: New Order #442-173.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: New Order #442-173.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains method to dynamically call methods (often used by packers)Show sources
      Source: New Order #442-173.exe, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
      Source: 0.2.New Order #442-173.exe.890000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
      Source: 0.0.New Order #442-173.exe.890000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
      Source: 2.0.New Order #442-173.exe.650000.0.unpack, job/SparseArray.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, io }, null, null)
      .NET source code contains potential unpackerShow sources
      Source: New Order #442-173.exe, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.New Order #442-173.exe.890000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.New Order #442-173.exe.890000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.0.New Order #442-173.exe.650000.0.unpack, job/SparseArray.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\New Order #442-173.exeCode function: 0_2_0122F810 push esp; iretd 0_2_0122F811
      Source: C:\Users\user\Desktop\New Order #442-173.exeCode function: 0_2_0122F8E4 pushfd ; iretd 0_2_0122F8E5
      Source: initial sampleStatic PE information: section name: .text entropy: 7.97323500808
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: New Order #442-173.exe PID: 6000, type: MEMORY
      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\New Order #442-173.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\New Order #442-173.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\New Order #442-173.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeWindow / User API: threadDelayed 704Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 4696Thread sleep time: -33000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 6808Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 4984Thread sleep count: 286 > 30Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 4984Thread sleep count: 704 > 30Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -59312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -58406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -58188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -58000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -57500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -56406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -55812s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -55094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -54594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -54406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -80859s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -80532s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -80250s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -52312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -48812s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -72891s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -71250s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -47312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -47000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -46594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -69609s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -68250s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -45312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -67641s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -44594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -44406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -44000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -43094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -42906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -42406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -42000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -41812s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -41594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -41312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -61641s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -61359s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -40500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -38906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -38688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -35406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -33312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -32406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -31312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -46641s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -30406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -30188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -45000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -43359s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -41391s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -39750s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -36141s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -89391s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -58906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -56906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -55594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -83109s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -52594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -51906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -51500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -51000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -50594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -50406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -49906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -49500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -49094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -44906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -39500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -38406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -37094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -36906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -36406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -34000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -32906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -30906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -56500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -56094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -55000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -54094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exe TID: 1896Thread sleep time: -53000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\New Order #442-173.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\New Order #442-173.exeLast function: Thread delayed
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: New Order #442-173.exe, 00000000.00000002.399126458.0000000002CDF000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\New Order #442-173.exeMemory written: C:\Users\user\Desktop\New Order #442-173.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeProcess created: C:\Users\user\Desktop\New Order #442-173.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Users\user\Desktop\New Order #442-173.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\New Order #442-173.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior