Loading ...

Play interactive tourEdit tour

Analysis Report New Order.exe

Overview

General Information

Sample Name:New Order.exe
Analysis ID:356548
MD5:3e3175667f101af812aa1aca7f4e9a10
SHA1:b46541a9ee94daa1dbc56ff4c6ff5a0824420f55
SHA256:29b33dfc23c9d0fb7375b09cebd89658ed6b5cc66027512f1f697512209fc50a
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • New Order.exe (PID: 6368 cmdline: 'C:\Users\user\Desktop\New Order.exe' MD5: 3E3175667F101AF812AA1ACA7F4E9A10)
    • PDF.exe (PID: 6764 cmdline: 'C:\Users\user\AppData\Local\Temp\PDF.exe' MD5: 3E3175667F101AF812AA1ACA7F4E9A10)
      • InstallUtil.exe (PID: 3092 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • icloud.exe (PID: 5612 cmdline: 'C:\Users\user\AppData\Roaming\icloud\icloud.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • icloud.exe (PID: 6800 cmdline: 'C:\Users\user\AppData\Roaming\icloud\icloud.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.338347944.0000000004C7B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.264919115.0000000003E4C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.338213268.0000000004B6D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.338414554.0000000004CEF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000002.501527866.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.New Order.exe.3de048a.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.PDF.exe.4c7bd62.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.New Order.exe.3de048a.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.New Order.exe.3e82700.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    5.2.PDF.exe.4bd9ae2.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: New Order.exeVirustotal: Detection: 27%Perma Link
                      Source: New Order.exeReversingLabs: Detection: 14%
                      Machine Learning detection for sampleShow sources
                      Source: New Order.exeJoe Sandbox ML: detected
                      Source: 13.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: New Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: New Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PDF.exe, 00000005.00000003.323996467.00000000099E4000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000000.322576109.0000000000EB2000.00000002.00020000.sdmp, icloud.exe, 00000012.00000002.401449377.0000000000432000.00000002.00020000.sdmp, icloud.exe, 00000017.00000000.417823011.0000000000D42000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
                      Source: Binary string: InstallUtil.pdb source: icloud.exe, InstallUtil.exe.5.dr
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_00BF81CF
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov ecx, dword ptr [ebp-00000090h]1_2_00BF4108
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov ecx, dword ptr [ebp-00000090h]1_2_00BF4108
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov ecx, dword ptr [ebp-00000090h]1_2_00BF4108
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then jmp 00BF47F4h1_2_00BF4108
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then jmp 00BF47F4h1_2_00BF40F8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then jmp 00BF47F4h1_2_00BF4102
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov eax, dword ptr [ebp-2Ch]1_2_00BF65C3
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_0839BEF0
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_0839B7CC
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then push dword ptr [ebp-20h]1_2_0839C2A8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_0839C2A8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then xor edx, edx1_2_0839C500
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then push dword ptr [ebp-24h]1_2_0839C5C8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_0839C5C8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-00000090h]5_2_05704108
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-00000090h]5_2_05704108
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then mov ecx, dword ptr [ebp-00000090h]5_2_05704108
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then jmp 057047F4h5_2_05704108
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_057081E0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then mov eax, dword ptr [ebp-2Ch]5_2_057065C3
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_057081CF
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then jmp 057047F4h5_2_057040F8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then jmp 057047F4h5_2_057040FB
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_0920B7CC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_0920BE10
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then xor edx, edx5_2_0920C500
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h5_2_0920BEF0
                      Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PDF.exe, 00000005.00000003.265815351.00000000014E0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: New Order.exe, 00000001.00000003.245881659.0000000008B23000.00000004.00000001.sdmp, PDF.exe, 00000005.00000003.276483949.0000000009893000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                      Source: PDF.exe, 00000005.00000003.330894365.000000000989B000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%
                      Source: New Order.exe, 00000001.00000003.261518808.0000000008B2B000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%A
                      Source: New Order.exe, 00000001.00000003.245931643.0000000008B23000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gr
                      Source: PDF.exe, 00000005.00000003.265815351.00000000014E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmpString found in binary or memory: http://opqgus.com
                      Source: PDF.exe, 00000005.00000002.332738085.00000000032AC000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                      Source: New Order.exe, 00000001.00000002.262933915.0000000002451000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.332678135.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: New Order.exeString found in binary or memory: http://tempuri.org/vmsDataSet1.xsd
                      Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: New Order.exe, 00000001.00000002.262933915.0000000002451000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.332678135.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                      Source: New Order.exeString found in binary or memory: https://www.google.com/
                      Source: New Order.exe, 00000001.00000002.264919115.0000000003E4C000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.338347944.0000000004C7B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.501527866.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 13.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b29C1CE56u002d721Fu002d40F6u002d9783u002d468E049369ACu007d/FED7A41Fu002d0D54u002d4DD1u002d8FEEu002d83C13911AD7B.csLarge array initialization: .cctor: array initializer size 11940
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: New Order.exe
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D23A10 CreateProcessAsUserW,5_2_06D23A10
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF61C01_2_00BF61C0
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF41081_2_00BF4108
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFC8E01_2_00BFC8E0
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFB2181_2_00BFB218
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF92781_2_00BF9278
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF96A01_2_00BF96A0
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFD7601_2_00BFD760
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFBA881_2_00BFBA88
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF5E901_2_00BF5E90
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF40F81_2_00BF40F8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF61B11_2_00BF61B1
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF41021_2_00BF4102
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFA6981_2_00BFA698
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFE6881_2_00BFE688
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFF2401_2_00BFF240
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF96921_2_00BF9692
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFF8E01_2_00BFF8E0
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFFB181_2_00BFFB18
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFFD901_2_00BFFD90
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF5E501_2_00BF5E50
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BFBF881_2_00BFBF88
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083928881_2_08392888
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08396E501_2_08396E50
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083940D81_2_083940D8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_0839F4801_2_0839F480
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083946D81_2_083946D8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083967081_2_08396708
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083928781_2_08392878
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083978501_2_08397850
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083978401_2_08397840
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083938D01_2_083938D0
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083938C11_2_083938C1
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08394A781_2_08394A78
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08394A881_2_08394A88
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08392B381_2_08392B38
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08392B291_2_08392B29
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08396D8F1_2_08396D8F
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_0839CD801_2_0839CD80
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08396DDC1_2_08396DDC
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08397EB01_2_08397EB0
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083900121_2_08390012
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083900401_2_08390040
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083940C81_2_083940C8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083951681_2_08395168
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083972F81_2_083972F8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083972E91_2_083972E9
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_0839D3301_2_0839D330
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083966711_2_08396671
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083966551_2_08396655
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_083946C81_2_083946C8
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A08781_2_088A0878
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A5A681_2_088A5A68
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A3B201_2_088A3B20
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A08691_2_088A0869
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A19231_2_088A1923
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A19301_2_088A1930
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A5A591_2_088A5A59
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A3B101_2_088A3B10
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A1CB61_2_088A1CB6
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A4F701_2_088A4F70
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_057041085_2_05704108
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_057061C05_2_057061C0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570C8E05_2_0570C8E0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570D7605_2_0570D760
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_057096A05_2_057096A0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_057092785_2_05709278
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570B2185_2_0570B218
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_05705E905_2_05705E90
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570BA885_2_0570BA88
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570A6985_2_0570A698
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570E6885_2_0570E688
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_057061B15_2_057061B1
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_057040FB5_2_057040FB
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_057096935_2_05709693
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570F2405_2_0570F240
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570FD905_2_0570FD90
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570BF885_2_0570BF88
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_05705E505_2_05705E50
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570F8E05_2_0570F8E0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0570FB185_2_0570FB18
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D202185_2_06D20218
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D228585_2_06D22858
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D250415_2_06D25041
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D209485_2_06D20948
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D23EF85_2_06D23EF8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D21F195_2_06D21F19
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D21F285_2_06D21F28
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D25C705_2_06D25C70
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D232E85_2_06D232E8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D21AB05_2_06D21AB0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D21AA35_2_06D21AA3
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D202095_2_06D20209
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D209395_2_06D20939
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092028885_2_09202888
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092040D85_2_092040D8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092067085_2_09206708
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09206E505_2_09206E50
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092046D85_2_092046D8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092051685_2_09205168
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0920003B5_2_0920003B
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092028785_2_09202878
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092000405_2_09200040
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092078405_2_09207840
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092078505_2_09207850
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092038C15_2_092038C1
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092040C85_2_092040C8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092038D05_2_092038D0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09202B295_2_09202B29
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0920D3305_2_0920D330
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09202B385_2_09202B38
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09204A785_2_09204A78
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09204A885_2_09204A88
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092072E95_2_092072E9
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092072F85_2_092072F8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09206D755_2_09206D75
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0920CD805_2_0920CD80
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09206D865_2_09206D86
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092077A85_2_092077A8
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092066715_2_09206671
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092066555_2_09206655
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09207EB05_2_09207EB0
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_092046C85_2_092046C8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_00EB20B013_2_00EB20B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_017546A013_2_017546A0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_017545B013_2_017545B0
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_064094F813_2_064094F8
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_0640753813_2_06407538
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_0640692013_2_06406920
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_06406C6813_2_06406C68
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeCode function: 18_2_004320B018_2_004320B0
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeCode function: 18_2_026407C818_2_026407C8
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeCode function: 23_2_00D420B023_2_00D420B0
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeCode function: 23_2_016607C823_2_016607C8
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\icloud\icloud.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                      Source: New Order.exe, 00000001.00000002.264919115.0000000003E4C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamexmQIUMxxNnYSaKqwZwqQezLlEfuICPLsF.exe4 vs New Order.exe
                      Source: New Order.exe, 00000001.00000002.265025827.0000000004460000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New Order.exe
                      Source: New Order.exe, 00000001.00000002.264386143.0000000003455000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs New Order.exe
                      Source: New Order.exe, 00000001.00000002.269278942.0000000005AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order.exe
                      Source: New Order.exe, 00000001.00000002.265189626.00000000044C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New Order.exe
                      Source: New Order.exe, 00000001.00000002.265189626.00000000044C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New Order.exe
                      Source: New Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 13.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@9/7@0/1
                      Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: New Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: New Order.exeVirustotal: Detection: 27%
                      Source: New Order.exeReversingLabs: Detection: 14%
                      Source: New Order.exeString found in binary or memory: icons8-add-24
                      Source: New Order.exeString found in binary or memory: icons8-add-32
                      Source: New Order.exeString found in binary or memory: icons8-add-48
                      Source: New Order.exeString found in binary or memory: icons8-add-administrator-50
                      Source: PDF.exeString found in binary or memory: icons8-add-24
                      Source: PDF.exeString found in binary or memory: icons8-add-32
                      Source: PDF.exeString found in binary or memory: icons8-add-48
                      Source: PDF.exeString found in binary or memory: icons8-add-administrator-50
                      Source: New Order.exeString found in binary or memory: icons8-add-24
                      Source: New Order.exeString found in binary or memory: icons8-add-32[
                      Source: New Order.exeString found in binary or memory: icons8-add-48
                      Source: New Order.exeString found in binary or memory: 6icons8-add-administrator-50
                      Source: New Order.exeString found in binary or memory: icons8-add-32
                      Source: New Order.exeString found in binary or memory: 7icons8-add-administrator-50
                      Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\PDF.exe 'C:\Users\user\AppData\Local\Temp\PDF.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\icloud\icloud.exe 'C:\Users\user\AppData\Roaming\icloud\icloud.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\icloud\icloud.exe 'C:\Users\user\AppData\Roaming\icloud\icloud.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\AppData\Local\Temp\PDF.exe 'C:\Users\user\AppData\Local\Temp\PDF.exe' Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: New Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: New Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PDF.exe, 00000005.00000003.323996467.00000000099E4000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000000.322576109.0000000000EB2000.00000002.00020000.sdmp, icloud.exe, 00000012.00000002.401449377.0000000000432000.00000002.00020000.sdmp, icloud.exe, 00000017.00000000.417823011.0000000000D42000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
                      Source: Binary string: InstallUtil.pdb source: icloud.exe, InstallUtil.exe.5.dr
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_0002576D push 20060000h; retn 0001h1_2_00025773
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_00BF9FCA push ecx; ret 1_2_00BF9FCE
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08393E14 push ebx; retf 1_2_08393E16
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08393E0A push ebx; retf 1_2_08393E0C
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_08393105 push eax; ret 1_2_08393107
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_0839033C push ecx; iretd 1_2_0839033E
                      Source: C:\Users\user\Desktop\New Order.exeCode function: 1_2_088A2468 push edi; ret 1_2_088A2489
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_00D3576D push 20060000h; retn 0001h5_2_00D35773
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D2764A push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D27664 push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D27613 push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D274F1 push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D27498 push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D2745F push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D27585 push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D275BB push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_06D273C8 push es; iretd 5_2_06D278BC
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09203105 push eax; ret 5_2_09203107
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_0920033C push ecx; iretd 5_2_0920033E
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09207C00 pushfd ; ret 5_2_09207C91
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09203E0A push ebx; retf 5_2_09203E0C
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeCode function: 5_2_09203E14 push ebx; retf 5_2_09203E16
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_0640A61F push es; iretd 13_2_0640A63C
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 13_2_0640C320 push es; ret 13_2_0640C330
                      Source: New Order.exe, k5R/c5S.csHigh entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
                      Source: New Order.exe, Qt6/Yk9.csHigh entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
                      Source: 1.0.New Order.exe.20000.0.unpack, Qt6/Yk9.csHigh entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
                      Source: 1.0.New Order.exe.20000.0.unpack, k5R/c5S.csHigh entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
                      Source: 1.2.New Order.exe.20000.0.unpack, Qt6/Yk9.csHigh entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
                      Source: 1.2.New Order.exe.20000.0.unpack, k5R/c5S.csHigh entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
                      Source: 5.0.PDF.exe.d30000.0.unpack, Qt6/Yk9.csHigh entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
                      Source: 5.0.PDF.exe.d30000.0.unpack, k5R/c5S.csHigh entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
                      Source: 5.2.PDF.exe.d30000.0.unpack, k5R/c5S.csHigh entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
                      Source: 5.2.PDF.exe.d30000.0.unpack, Qt6/Yk9.csHigh entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\icloud\icloud.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run icloudJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run icloudJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\New Order.exeFile opened: C:\Users\user\Desktop\New Order.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeFile opened: C:\Users\user\AppData\Local\Temp\PDF.exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\icloud\icloud.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\new order.exeFile moved: C:\Users\user\AppData\Local\Temp\PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\New Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\icloud\icloud.exeProcess information set: NOOPENFILEERRORBOX