Loading ...

Play interactive tourEdit tour

Analysis Report New Order Request_0232147.exe

Overview

General Information

Sample Name:New Order Request_0232147.exe
Analysis ID:404158
MD5:5133cbc9db4989d6fbb350e0829911c8
SHA1:72052feec6f9f94fe0831a77bdf8c3493d268e37
SHA256:fbdc2f9c6e970ae88ff30847c4d63472a0f0aa9b8e008e5b5c37f62ac526a963
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "calidad1@iruberritechnologies.comVpx7s4QHfJx7mail.iruberritechnologies.comrichardjortega@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: New Order Request_0232147.exe PID: 6368JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: New Order Request_0232147.exe PID: 6368JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.New Order Request_0232147.exe.45ee328.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.New Order Request_0232147.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.New Order Request_0232147.exe.45ee328.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.New Order Request_0232147.exe.45ee328.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "calidad1@iruberritechnologies.comVpx7s4QHfJx7mail.iruberritechnologies.comrichardjortega@yandex.com"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: New Order Request_0232147.exeVirustotal: Detection: 14%Perma Link
                  Source: New Order Request_0232147.exeReversingLabs: Detection: 17%
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: New Order Request_0232147.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: New Order Request_0232147.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 149.202.85.210:587
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: global trafficTCP traffic: 192.168.2.5:49730 -> 149.202.85.210:587
                  Source: unknownDNS traffic detected: queries for: mail.iruberritechnologies.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: http://LPzxab.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503177096.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://iruberritechnologies.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503177096.0000000002EFA000.00000004.00000001.sdmpString found in binary or memory: http://mail.iruberritechnologies.com
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0?
                  Source: New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: New Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                  Source: New Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCZ
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.243298062.0000000006285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: New Order Request_0232147.exe, 00000000.00000002.259475460.00000000019A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comh
                  Source: New Order Request_0232147.exe, 00000000.00000002.259475460.00000000019A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comion
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: New Order Request_0232147.exe, 00000000.00000003.234986480.0000000006288000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: New Order Request_0232147.exe, 00000000.00000003.234986480.0000000006288000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnFYT/
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: New Order Request_0232147.exe, 00000000.00000003.242633271.0000000006285000.00000004.00000001.sdmp, New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: New Order Request_0232147.exe, 00000000.00000003.241640533.000000000628B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comTF
                  Source: New Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
                  Source: New Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                  Source: New Order Request_0232147.exe, 00000000.00000003.237365971.0000000006286000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: New Order Request_0232147.exe, 00000000.00000003.235097752.0000000006288000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com7
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: https://9TuO2oVE4tm8Yg0qRsK.org
                  Source: New Order Request_0232147.exe, 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmp, New Order Request_0232147.exe, 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEAE24690u002d1E26u002d4B8Cu002dAA5Bu002d108B71A5B425u007d/u00333AA9EBEu002d6032u002d421Du002dA6B8u002d318DAED5CBB5.csLarge array initialization: .cctor: array initializer size 11983
                  Initial sample is a PE file and has a suspicious nameShow sources
                  Source: initial sampleStatic PE information: Filename: New Order Request_0232147.exe
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_0578C43C
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_0578E4D0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_0578E4C3
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE26E0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAE40
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5D30
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE3540
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE1C88
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE7CC8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE8190
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE68E8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEB0F0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE1018
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE0040
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE0FB7
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE86A0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5680
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE8690
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE26D0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAE32
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEC600
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5670
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE6D80
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEC5F0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5D21
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE2500
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE6D70
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE04AA
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE04B8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE7CB8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE34D6
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE7410
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE1C78
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE4449
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE4458
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE73F6
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAB68
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEAB78
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5B40
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE52E8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE52F8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE58A0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE68BD
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE5890
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEB0E0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE0006
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE6879
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F92D50
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F9F210
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F91FEF
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F92768
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF0AC4
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF3285
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF5B60
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FFC5D0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF9198
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FFBEE0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF5EA8
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FFC670
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01050040
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_010543F0
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01053248
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01054A75
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01058F40
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_0105B790
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_0105E567
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01059788
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01059688
                  Source: New Order Request_0232147.exe, 00000000.00000002.262301254.00000000042A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000000.00000002.258139630.0000000001002000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamempUIbZUCJJtYBvJwTrRUyqOpjFnkxPklNCt.exe4 vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000000.00000002.259621608.00000000032A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000004.00000000.254603815.00000000002E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000000.256547687.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000002.497098410.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000002.505433369.0000000006030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exe, 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamempUIbZUCJJtYBvJwTrRUyqOpjFnkxPklNCt.exe4 vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exeBinary or memory string: OriginalFilenameqGOldQU8bPo4VOD.exeR vs New Order Request_0232147.exe
                  Source: New Order Request_0232147.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 5.2.New Order Request_0232147.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@6/1
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order Request_0232147.exe.logJump to behavior
                  Source: New Order Request_0232147.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: New Order Request_0232147.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: New Order Request_0232147.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                  Source: New Order Request_0232147.exe, 00000000.00000000.230290906.0000000000F02000.00000002.00020000.sdmp, New Order Request_0232147.exe, 00000004.00000002.256253349.00000000001E2000.00000002.00020000.sdmp, New Order Request_0232147.exe, 00000005.00000002.495906591.0000000000862000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: New Order Request_0232147.exeVirustotal: Detection: 14%
                  Source: New Order Request_0232147.exeReversingLabs: Detection: 17%
                  Source: New Order Request_0232147.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                  Source: unknownProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe 'C:\Users\user\Desktop\New Order Request_0232147.exe'
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: New Order Request_0232147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: New Order Request_0232147.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: New Order Request_0232147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: New Order Request_0232147.exeStatic PE information: 0xF0C0A264 [Sun Dec 29 11:52:04 2097 UTC]
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE2F05 push ds; ret
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE65EB push ecx; retf
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AEC4CA push ebp; ret
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 0_2_07AE8182 push esp; retf
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F954F0 pushfd ; ret
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F9E6B0 pushfd ; ret
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F97A37 push edi; retn 0000h
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00F9FB98 pushfd ; ret
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF912D push fs; iretd
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_00FF0650 push 99BC00D7h; ret
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_013CDEEF push C802C3C1h; ret
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.17013687848
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: New Order Request_0232147.exe PID: 6368, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWindow / User API: threadDelayed 3749
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWindow / User API: threadDelayed 6072
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 6372Thread sleep time: -31500s >= -30000s
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 6392Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 5480Thread sleep time: -19369081277395017s >= -30000s
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 5476Thread sleep count: 3749 > 30
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exe TID: 5476Thread sleep count: 6072 > 30
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 31500
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeThread delayed: delay time: 922337203685477
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: New Order Request_0232147.exe, 00000000.00000002.259851454.00000000032E5000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeCode function: 5_2_01050040 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeMemory written: C:\Users\user\Desktop\New Order Request_0232147.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeProcess created: C:\Users\user\Desktop\New Order Request_0232147.exe {path}
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                  Source: New Order Request_0232147.exe, 00000005.00000002.500108767.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Users\user\Desktop\New Order Request_0232147.exe VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Users\user\Desktop\New Order Request_0232147.exe VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: New Order Request_0232147.exe PID: 6368, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: New Order Request_0232147.exe PID: 6604, type: MEMORY
                  Source: Yara matchFile source: 0.2.New Order Request_0232147.exe.45ee328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.New Order Request_0232147.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.New Order Request_0232147.exe.45ee328.3.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\Desktop\New Order Request_0232147.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: New Order Request_0232147.exe PID: 6604, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: New Order Request_0232147.exe PID: 6368, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: New Order Request_0232147.exe PID: 6604, type: MEMORY
                  Source: Yara matchFile source: 0.2.New Order Request_0232147.exe.45ee328.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.New Order Request_0232147.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.New Order Request_0232147.exe.45ee328.3.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  New Order Request_0232147.exe15%VirustotalBrowse
                  New Order Request_0232147.exe17%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  5.2.New Order Request_0232147.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  iruberritechnologies.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.sajatypeworks.comiv0%URL Reputationsafe
                  http://www.sajatypeworks.comiv0%URL Reputationsafe
                  http://www.sajatypeworks.comiv0%URL Reputationsafe
                  http://www.tiro.com70%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.carterandcone.comTCZ0%Avira URL Cloudsafe
                  http://r3.i.lencr.org/0?0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://iruberritechnologies.com0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.sajatypeworks.comt0%URL Reputationsafe
                  http://www.sajatypeworks.comt0%URL Reputationsafe
                  http://www.sajatypeworks.comt0%URL Reputationsafe
                  http://www.sajatypeworks.comTF0%Avira URL Cloudsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://www.carterandcone.comTC0%URL Reputationsafe
                  http://www.carterandcone.comTC0%URL Reputationsafe
                  http://www.carterandcone.comTC0%URL Reputationsafe
                  http://LPzxab.com0%Avira URL Cloudsafe
                  https://9TuO2oVE4tm8Yg0qRsK.org0%Avira URL Cloudsafe
                  http://www.fontbureau.comion0%URL Reputationsafe
                  http://www.fontbureau.comion0%URL Reputationsafe
                  http://www.fontbureau.comion0%URL Reputationsafe
                  http://www.founder.com.cn/cnFYT/0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://mail.iruberritechnologies.com0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.fontbureau.comh0%Avira URL Cloudsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.founder.com.cn/cn(0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  iruberritechnologies.com
                  149.202.85.210
                  truetrueunknown
                  mail.iruberritechnologies.com
                  unknown
                  unknowntrue
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1New Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://www.fontbureau.com/designersGNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                      high
                      http://www.sajatypeworks.comivNew Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.tiro.com7New Order Request_0232147.exe, 00000000.00000003.235097752.0000000006288000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.com/designers/?New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/bTheNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers?New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                          high
                          http://www.carterandcone.comTCZNew Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://r3.i.lencr.org/0?New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.tiro.comNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designersNew Order Request_0232147.exe, 00000000.00000003.243298062.0000000006285000.00000004.00000001.sdmpfalse
                            high
                            http://www.goodfont.co.krNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.carterandcone.comNew Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://iruberritechnologies.comNew Order Request_0232147.exe, 00000005.00000002.503177096.0000000002EFA000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.sajatypeworks.comNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.typography.netDNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.founder.com.cn/cn/cTheNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.galapagosdesign.com/staff/dennis.htmNew Order Request_0232147.exe, 00000000.00000003.242633271.0000000006285000.00000004.00000001.sdmp, New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://fontfabrik.comNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://r3.o.lencr.org0New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.galapagosdesign.com/DPleaseNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fonts.comNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                              high
                              http://www.sandoll.co.krNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.urwpp.deDPleaseNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.zhongyicts.com.cnNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.sakkal.comNew Order Request_0232147.exe, 00000000.00000003.237365971.0000000006286000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipNew Order Request_0232147.exe, 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmp, New Order Request_0232147.exe, 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://cps.root-x1.letsencrypt.org0New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.apache.org/licenses/LICENSE-2.0New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                high
                                http://www.fontbureau.comNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                  high
                                  http://DynDns.comDynDNSNew Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.sajatypeworks.comtNew Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.sajatypeworks.comTFNew Order Request_0232147.exe, 00000000.00000003.233482785.000000000629B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://cps.letsencrypt.org0New Order Request_0232147.exe, 00000005.00000002.503206058.0000000002F00000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haNew Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.carterandcone.comTCNew Order Request_0232147.exe, 00000000.00000003.237770203.000000000628E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://LPzxab.comNew Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://9TuO2oVE4tm8Yg0qRsK.orgNew Order Request_0232147.exe, 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.comionNew Order Request_0232147.exe, 00000000.00000002.259475460.00000000019A7000.00000004.00000040.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnFYT/New Order Request_0232147.exe, 00000000.00000003.234986480.0000000006288000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.carterandcone.comlNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://mail.iruberritechnologies.comNew Order Request_0232147.exe, 00000005.00000002.503177096.0000000002EFA000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cnNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlNew Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.fontbureau.comhNew Order Request_0232147.exe, 00000000.00000002.259475460.00000000019A7000.00000004.00000040.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.monotype.New Order Request_0232147.exe, 00000000.00000003.241640533.000000000628B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers8New Order Request_0232147.exe, 00000000.00000002.268539867.0000000006370000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.founder.com.cn/cn(New Order Request_0232147.exe, 00000000.00000003.234986480.0000000006288000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.202.85.210
                                        iruberritechnologies.comFrance
                                        16276OVHFRtrue

                                        General Information

                                        Joe Sandbox Version:32.0.0 Black Diamond
                                        Analysis ID:404158
                                        Start date:04.05.2021
                                        Start time:19:00:41
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 9m 56s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:New Order Request_0232147.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:24
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@5/1@6/1
                                        EGA Information:Failed
                                        HDC Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Excluded IPs from analysis (whitelisted): 93.184.220.29, 204.79.197.200, 13.107.21.200, 20.82.210.154, 13.88.21.125, 52.147.198.201, 92.122.145.220, 52.255.188.83, 104.43.139.144, 23.57.80.111, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 20.54.26.129
                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        19:01:41API Interceptor706x Sleep call for process: New Order Request_0232147.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        149.202.85.210Zwi#U0119ksz-2873037.exeGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          OVHFRTranscation03232016646pdf.exeGet hashmaliciousBrowse
                                          • 79.137.109.121
                                          5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                          • 51.77.73.218
                                          MZyeln5mSFOjxMx.exeGet hashmaliciousBrowse
                                          • 66.70.204.222
                                          5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                          • 51.77.73.218
                                          51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          5e60c283_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                          • 51.77.73.218
                                          51086cc4_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          8aa43191_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          840e7dfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          d192feb6_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          94765446_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          448b5d7d_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          7bc33f1c_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          feb26e28_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          cfba18f5_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13
                                          ae394500_by_Libranalysis.dllGet hashmaliciousBrowse
                                          • 167.114.113.13

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order Request_0232147.exe.log
                                          Process:C:\Users\user\Desktop\New Order Request_0232147.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.16370494238722
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:New Order Request_0232147.exe
                                          File size:1045504
                                          MD5:5133cbc9db4989d6fbb350e0829911c8
                                          SHA1:72052feec6f9f94fe0831a77bdf8c3493d268e37
                                          SHA256:fbdc2f9c6e970ae88ff30847c4d63472a0f0aa9b8e008e5b5c37f62ac526a963
                                          SHA512:8f13f01160e182cb9169ebaffc97e48f1f84661c613370cf9c9c77dc39b4e8c1686a74cd4e438530e27970a0fe9c0465043434aad000f66b4469f9009c0807e1
                                          SSDEEP:24576:Zv0t4KctioLA/9NjMjEjqRUj+hRZJr+F/:Zv0t4KEyYoOWaJr+F
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.................0.................. ... ....@.. .......................`............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x5007e2
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0xF0C0A264 [Sun Dec 29 11:52:04 2097 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1007900x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1020000x604.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1040000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x1007740x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xfe7e80xfe800False0.625946824349data7.17013687848IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x1020000x6040x800False0.330078125data3.44053524231IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x1040000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x1020900x374data
                                          RT_MANIFEST0x1024140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2019
                                          Assembly Version1.0.0.0
                                          InternalNameqGOldQU8bPo4VOD.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameHospitalManagementSystem
                                          ProductVersion1.0.0.0
                                          FileDescriptionHospitalManagementSystem
                                          OriginalFilenameqGOldQU8bPo4VOD.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          05/04/21-19:03:34.149691ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                          05/04/21-19:03:35.147063ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                          05/04/21-19:03:38.608596ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 4, 2021 19:03:35.674813986 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:35.724775076 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:35.724873066 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:35.874888897 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:35.875323057 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:35.925534010 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:35.925946951 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:35.978585005 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.029336929 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.059819937 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.131764889 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.131798983 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.131819963 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.131889105 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.139411926 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.189862013 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.232606888 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.524369955 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.574446917 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.576993942 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.627314091 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.628407001 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.717538118 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.732202053 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.733273029 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.783344030 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.784981966 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.848463058 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.849080086 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.899036884 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.903260946 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.903429031 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.903563023 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.903666019 CEST49730587192.168.2.5149.202.85.210
                                          May 4, 2021 19:03:36.953233957 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.953267097 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.953285933 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:36.953876019 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:37.489578962 CEST58749730149.202.85.210192.168.2.5
                                          May 4, 2021 19:03:37.529539108 CEST49730587192.168.2.5149.202.85.210

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 4, 2021 19:01:25.592560053 CEST53643448.8.8.8192.168.2.5
                                          May 4, 2021 19:01:26.003287077 CEST6206053192.168.2.58.8.8.8
                                          May 4, 2021 19:01:26.060152054 CEST53620608.8.8.8192.168.2.5
                                          May 4, 2021 19:01:26.093084097 CEST6180553192.168.2.58.8.8.8
                                          May 4, 2021 19:01:26.144553900 CEST53618058.8.8.8192.168.2.5
                                          May 4, 2021 19:01:26.345740080 CEST5479553192.168.2.58.8.8.8
                                          May 4, 2021 19:01:26.395255089 CEST53547958.8.8.8192.168.2.5
                                          May 4, 2021 19:01:27.437642097 CEST4955753192.168.2.58.8.8.8
                                          May 4, 2021 19:01:27.486398935 CEST53495578.8.8.8192.168.2.5
                                          May 4, 2021 19:01:28.266197920 CEST6173353192.168.2.58.8.8.8
                                          May 4, 2021 19:01:28.317600965 CEST53617338.8.8.8192.168.2.5
                                          May 4, 2021 19:01:29.049745083 CEST6544753192.168.2.58.8.8.8
                                          May 4, 2021 19:01:29.109853029 CEST53654478.8.8.8192.168.2.5
                                          May 4, 2021 19:01:29.161185026 CEST5244153192.168.2.58.8.8.8
                                          May 4, 2021 19:01:29.221350908 CEST53524418.8.8.8192.168.2.5
                                          May 4, 2021 19:01:30.116239071 CEST6217653192.168.2.58.8.8.8
                                          May 4, 2021 19:01:30.167891026 CEST53621768.8.8.8192.168.2.5
                                          May 4, 2021 19:01:30.920952082 CEST5959653192.168.2.58.8.8.8
                                          May 4, 2021 19:01:30.969603062 CEST53595968.8.8.8192.168.2.5
                                          May 4, 2021 19:01:31.944355965 CEST6529653192.168.2.58.8.8.8
                                          May 4, 2021 19:01:31.995897055 CEST53652968.8.8.8192.168.2.5
                                          May 4, 2021 19:01:32.728172064 CEST6318353192.168.2.58.8.8.8
                                          May 4, 2021 19:01:32.776891947 CEST53631838.8.8.8192.168.2.5
                                          May 4, 2021 19:01:34.211884022 CEST6015153192.168.2.58.8.8.8
                                          May 4, 2021 19:01:34.270097017 CEST53601518.8.8.8192.168.2.5
                                          May 4, 2021 19:01:35.463999987 CEST5696953192.168.2.58.8.8.8
                                          May 4, 2021 19:01:35.515537024 CEST53569698.8.8.8192.168.2.5
                                          May 4, 2021 19:01:50.874479055 CEST5516153192.168.2.58.8.8.8
                                          May 4, 2021 19:01:50.938227892 CEST53551618.8.8.8192.168.2.5
                                          May 4, 2021 19:02:02.922646046 CEST5475753192.168.2.58.8.8.8
                                          May 4, 2021 19:02:02.974347115 CEST53547578.8.8.8192.168.2.5
                                          May 4, 2021 19:02:21.236640930 CEST4999253192.168.2.58.8.8.8
                                          May 4, 2021 19:02:21.294007063 CEST53499928.8.8.8192.168.2.5
                                          May 4, 2021 19:02:45.338238955 CEST6007553192.168.2.58.8.8.8
                                          May 4, 2021 19:02:45.389822006 CEST53600758.8.8.8192.168.2.5
                                          May 4, 2021 19:02:55.162802935 CEST5501653192.168.2.58.8.8.8
                                          May 4, 2021 19:02:55.221085072 CEST53550168.8.8.8192.168.2.5
                                          May 4, 2021 19:03:10.427627087 CEST6434553192.168.2.58.8.8.8
                                          May 4, 2021 19:03:10.493542910 CEST53643458.8.8.8192.168.2.5
                                          May 4, 2021 19:03:30.029875040 CEST5712853192.168.2.58.8.8.8
                                          May 4, 2021 19:03:31.029841900 CEST5712853192.168.2.58.8.8.8
                                          May 4, 2021 19:03:32.045248032 CEST5712853192.168.2.58.8.8.8
                                          May 4, 2021 19:03:32.948568106 CEST5479153192.168.2.58.8.8.8
                                          May 4, 2021 19:03:32.997354031 CEST53547918.8.8.8192.168.2.5
                                          May 4, 2021 19:03:34.092262030 CEST5712853192.168.2.58.8.8.8
                                          May 4, 2021 19:03:34.134357929 CEST53571288.8.8.8192.168.2.5
                                          May 4, 2021 19:03:34.134438038 CEST53571288.8.8.8192.168.2.5
                                          May 4, 2021 19:03:34.149570942 CEST53571288.8.8.8192.168.2.5
                                          May 4, 2021 19:03:34.505417109 CEST5046353192.168.2.58.8.8.8
                                          May 4, 2021 19:03:35.146867037 CEST53571288.8.8.8192.168.2.5
                                          May 4, 2021 19:03:35.435235977 CEST5039453192.168.2.58.8.8.8
                                          May 4, 2021 19:03:35.492245913 CEST53503948.8.8.8192.168.2.5
                                          May 4, 2021 19:03:35.498763084 CEST5046353192.168.2.58.8.8.8
                                          May 4, 2021 19:03:35.558713913 CEST53504638.8.8.8192.168.2.5
                                          May 4, 2021 19:03:38.608398914 CEST53504638.8.8.8192.168.2.5

                                          ICMP Packets

                                          TimestampSource IPDest IPChecksumCodeType
                                          May 4, 2021 19:03:34.149691105 CEST192.168.2.58.8.8.8d020(Port unreachable)Destination Unreachable
                                          May 4, 2021 19:03:35.147063017 CEST192.168.2.58.8.8.8d020(Port unreachable)Destination Unreachable
                                          May 4, 2021 19:03:38.608596087 CEST192.168.2.58.8.8.8d020(Port unreachable)Destination Unreachable

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          May 4, 2021 19:03:30.029875040 CEST192.168.2.58.8.8.80x9dbdStandard query (0)mail.iruberritechnologies.comA (IP address)IN (0x0001)
                                          May 4, 2021 19:03:31.029841900 CEST192.168.2.58.8.8.80x9dbdStandard query (0)mail.iruberritechnologies.comA (IP address)IN (0x0001)
                                          May 4, 2021 19:03:32.045248032 CEST192.168.2.58.8.8.80x9dbdStandard query (0)mail.iruberritechnologies.comA (IP address)IN (0x0001)
                                          May 4, 2021 19:03:34.092262030 CEST192.168.2.58.8.8.80x9dbdStandard query (0)mail.iruberritechnologies.comA (IP address)IN (0x0001)
                                          May 4, 2021 19:03:34.505417109 CEST192.168.2.58.8.8.80xf0aaStandard query (0)mail.iruberritechnologies.comA (IP address)IN (0x0001)
                                          May 4, 2021 19:03:35.498763084 CEST192.168.2.58.8.8.80xf0aaStandard query (0)mail.iruberritechnologies.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          May 4, 2021 19:03:34.134357929 CEST8.8.8.8192.168.2.50x9dbdNo error (0)mail.iruberritechnologies.comiruberritechnologies.comCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 19:03:34.134357929 CEST8.8.8.8192.168.2.50x9dbdNo error (0)iruberritechnologies.com149.202.85.210A (IP address)IN (0x0001)
                                          May 4, 2021 19:03:34.134438038 CEST8.8.8.8192.168.2.50x9dbdNo error (0)mail.iruberritechnologies.comiruberritechnologies.comCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 19:03:34.134438038 CEST8.8.8.8192.168.2.50x9dbdNo error (0)iruberritechnologies.com149.202.85.210A (IP address)IN (0x0001)
                                          May 4, 2021 19:03:34.149570942 CEST8.8.8.8192.168.2.50x9dbdNo error (0)mail.iruberritechnologies.comiruberritechnologies.comCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 19:03:34.149570942 CEST8.8.8.8192.168.2.50x9dbdNo error (0)iruberritechnologies.com149.202.85.210A (IP address)IN (0x0001)
                                          May 4, 2021 19:03:35.146867037 CEST8.8.8.8192.168.2.50x9dbdNo error (0)mail.iruberritechnologies.comiruberritechnologies.comCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 19:03:35.146867037 CEST8.8.8.8192.168.2.50x9dbdNo error (0)iruberritechnologies.com149.202.85.210A (IP address)IN (0x0001)
                                          May 4, 2021 19:03:35.558713913 CEST8.8.8.8192.168.2.50xf0aaNo error (0)mail.iruberritechnologies.comiruberritechnologies.comCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 19:03:35.558713913 CEST8.8.8.8192.168.2.50xf0aaNo error (0)iruberritechnologies.com149.202.85.210A (IP address)IN (0x0001)
                                          May 4, 2021 19:03:38.608398914 CEST8.8.8.8192.168.2.50xf0aaNo error (0)mail.iruberritechnologies.comiruberritechnologies.comCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 19:03:38.608398914 CEST8.8.8.8192.168.2.50xf0aaNo error (0)iruberritechnologies.com149.202.85.210A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          May 4, 2021 19:03:35.874888897 CEST58749730149.202.85.210192.168.2.5220-ns3020561.ip-149-202-85.eu ESMTP Exim 4.94 #2 Tue, 04 May 2021 19:03:34 +0200
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          May 4, 2021 19:03:35.875323057 CEST49730587192.168.2.5149.202.85.210EHLO 688098
                                          May 4, 2021 19:03:35.925534010 CEST58749730149.202.85.210192.168.2.5250-ns3020561.ip-149-202-85.eu Hello 688098 [84.17.52.3]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-X_PIPE_CONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          May 4, 2021 19:03:35.925946951 CEST49730587192.168.2.5149.202.85.210STARTTLS
                                          May 4, 2021 19:03:35.978585005 CEST58749730149.202.85.210192.168.2.5220 TLS go ahead

                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:19:01:32
                                          Start date:04/05/2021
                                          Path:C:\Users\user\Desktop\New Order Request_0232147.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\New Order Request_0232147.exe'
                                          Imagebase:0xf00000
                                          File size:1045504 bytes
                                          MD5 hash:5133CBC9DB4989D6FBB350E0829911C8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.263302597.0000000004548000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Start time:19:01:43
                                          Start date:04/05/2021
                                          Path:C:\Users\user\Desktop\New Order Request_0232147.exe
                                          Wow64 process (32bit):false
                                          Commandline:{path}
                                          Imagebase:0x1e0000
                                          File size:1045504 bytes
                                          MD5 hash:5133CBC9DB4989D6FBB350E0829911C8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Start time:19:01:44
                                          Start date:04/05/2021
                                          Path:C:\Users\user\Desktop\New Order Request_0232147.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x860000
                                          File size:1045504 bytes
                                          MD5 hash:5133CBC9DB4989D6FBB350E0829911C8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.495432203.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.500811322.0000000002C51000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >