Windows Analysis Report Products Order.exe

Overview

General Information

Sample Name: Products Order.exe
Analysis ID: 458877
MD5: 7beee2584cd632154d34c65237cd5eb0
SHA1: d192b8805a1d874d480d791f673dbde77f12059b
SHA256: 56390f611b9571d11cdeb128435aaf3d5b282511f4a540d81912d87ffc1d2953
Tags: exenull
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.2.Products Order.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}
Multi AV Scanner detection for submitted file
Source: Products Order.exe Virustotal: Detection: 61% Perma Link
Source: Products Order.exe Metadefender: Detection: 45% Perma Link
Source: Products Order.exe ReversingLabs: Detection: 78%
Machine Learning detection for sample
Source: Products Order.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.Products Order.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Products Order.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Products Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp String found in binary or memory: http://oGRaXU.com
Source: Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersW
Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com8
Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comW
Source: Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223807220.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn-
Source: Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnh
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/K
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/eta
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com/
Source: Products Order.exe, 00000000.00000003.222128549.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comh
Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kre
Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krthe
Source: Products Order.exe, 00000000.00000003.222509875.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Products Order.exe, 00000000.00000003.222544938.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comn.
Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp String found in binary or memory: https://Au1SDZgNiFJp.n
Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp String found in binary or memory: https://Au1SDZgNiFJp.net
Source: Products Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Products Order.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 7.2.Products Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCA318437u002d79D0u002d47E6u002dAD5Au002dE637674672C0u007d/u00370291D60u002d50D6u002d4282u002d9AE4u002dF343420AD8FC.cs Large array initialization: .cctor: array initializer size 11965
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Products Order.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_0154AD00 7_2_0154AD00
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01540D30 7_2_01540D30
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01546BE0 7_2_01546BE0
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01543790 7_2_01543790
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01548D80 7_2_01548D80
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_0154C188 7_2_0154C188
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01545038 7_2_01545038
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01547A5E 7_2_01547A5E
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01547A60 7_2_01547A60
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_018B6158 7_2_018B6158
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_018B5B21 7_2_018B5B21
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_018B3680 7_2_018B3680
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_018BD3EE 7_2_018BD3EE
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01A21368 7_2_01A21368
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01A4C5B0 7_2_01A4C5B0
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01A428C8 7_2_01A428C8
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01A48EA0 7_2_01A48EA0
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01A4E530 7_2_01A4E530
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01A45578 7_2_01A45578
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01A46490 7_2_01A46490
Sample file is different than original file name gathered from version info
Source: Products Order.exe, 00000000.00000000.218947395.00000000010E8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Products Order.exe
Source: Products Order.exe, 00000007.00000002.489342552.000000000178A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Products Order.exe
Source: Products Order.exe, 00000007.00000002.496023425.0000000006740000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Products Order.exe
Source: Products Order.exe, 00000007.00000000.270811026.0000000001068000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
Source: Products Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamefGTSWhFZukHSMrbrFCgDqhElwPzfvrA.exe4 vs Products Order.exe
Source: Products Order.exe, 00000007.00000002.489864931.00000000018A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Products Order.exe
Source: Products Order.exe Binary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
Uses 32bit PE files
Source: Products Order.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Products Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 7.2.Products Order.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.Products Order.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\Products Order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Products Order.exe.log Jump to behavior
Source: Products Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Products Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Products Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Products Order.exe, 00000000.00000000.218832833.0000000000FE2000.00000002.00020000.sdmp, Products Order.exe, 00000007.00000000.270686053.0000000000F62000.00000002.00020000.sdmp Binary or memory string: SELECT !{0}{1}[{2}].[ID]!{0}FROM [{1}]{2}5WHERE [{0}].[{1}ID] = {2};
Source: Products Order.exe Virustotal: Detection: 61%
Source: Products Order.exe Metadefender: Detection: 45%
Source: Products Order.exe ReversingLabs: Detection: 78%
Source: unknown Process created: C:\Users\user\Desktop\Products Order.exe 'C:\Users\user\Desktop\Products Order.exe'
Source: C:\Users\user\Desktop\Products Order.exe Process created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exe
Source: C:\Users\user\Desktop\Products Order.exe Process created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exe Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Products Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Products Order.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Products Order.exe Static file information: File size 1071104 > 1048576
Source: Products Order.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x104e00
Source: Products Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: Products Order.exe Static PE information: 0xB2837D03 [Wed Nov 26 21:47:47 2064 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_018BB577 push edi; retn 0000h 7_2_018BB579
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_018BD3CA push ebx; retf 7_2_018BD3D9
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_018B5A70 push es; ret 7_2_018B5A80
Source: initial sample Static PE information: section name: .text entropy: 7.23009151105
Source: Products Order.exe, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.cs High entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
Source: Products Order.exe, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
Source: Products Order.exe, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.cs High entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
Source: Products Order.exe, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.cs High entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
Source: Products Order.exe, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.cs High entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
Source: Products Order.exe, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.cs High entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
Source: Products Order.exe, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.cs High entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
Source: Products Order.exe, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.cs High entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
Source: Products Order.exe, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.cs High entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
Source: Products Order.exe, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.cs High entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
Source: Products Order.exe, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.cs High entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
Source: Products Order.exe, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.cs High entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
Source: Products Order.exe, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.cs High entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
Source: Products Order.exe, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.cs High entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
Source: Products Order.exe, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.cs High entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
Source: Products Order.exe, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.cs High entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
Source: Products Order.exe, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.cs High entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
Source: Products Order.exe, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.cs High entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
Source: Products Order.exe, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.cs High entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
Source: Products Order.exe, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.cs High entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
Source: 0.0.Products Order.exe.fe0000.0.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.cs High entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
Source: 0.0.Products Order.exe.fe0000.0.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
Source: 0.0.Products Order.exe.fe0000.0.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.cs High entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
Source: 0.0.Products Order.exe.fe0000.0.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.cs High entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
Source: 0.0.Products Order.exe.fe0000.0.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.cs High entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
Source: 0.0.Products Order.exe.fe0000.0.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.cs High entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
Source: 0.0.Products Order.exe.fe0000.0.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.cs High entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
Source: 0.0.Products Order.exe.fe0000.0.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.cs High entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
Source: 0.0.Products Order.exe.fe0000.0.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.cs High entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
Source: 0.0.Products Order.exe.fe0000.0.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.cs High entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
Source: 0.0.Products Order.exe.fe0000.0.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.cs High entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
Source: 0.0.Products Order.exe.fe0000.0.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.cs High entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
Source: 0.0.Products Order.exe.fe0000.0.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.cs High entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
Source: 0.0.Products Order.exe.fe0000.0.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.cs High entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
Source: 0.0.Products Order.exe.fe0000.0.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.cs High entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
Source: 0.0.Products Order.exe.fe0000.0.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.cs High entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
Source: 0.0.Products Order.exe.fe0000.0.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.cs High entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
Source: 0.0.Products Order.exe.fe0000.0.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.cs High entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
Source: 0.0.Products Order.exe.fe0000.0.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.cs High entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
Source: 0.0.Products Order.exe.fe0000.0.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.cs High entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
Source: 7.2.Products Order.exe.f60000.1.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.cs High entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
Source: 7.2.Products Order.exe.f60000.1.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
Source: 7.2.Products Order.exe.f60000.1.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.cs High entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
Source: 7.2.Products Order.exe.f60000.1.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.cs High entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
Source: 7.2.Products Order.exe.f60000.1.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.cs High entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
Source: 7.2.Products Order.exe.f60000.1.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.cs High entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
Source: 7.2.Products Order.exe.f60000.1.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.cs High entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
Source: 7.2.Products Order.exe.f60000.1.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.cs High entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
Source: 7.2.Products Order.exe.f60000.1.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.cs High entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
Source: 7.2.Products Order.exe.f60000.1.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.cs High entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
Source: 7.2.Products Order.exe.f60000.1.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.cs High entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
Source: 7.2.Products Order.exe.f60000.1.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.cs High entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
Source: 7.2.Products Order.exe.f60000.1.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.cs High entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
Source: 7.2.Products Order.exe.f60000.1.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.cs High entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
Source: 7.2.Products Order.exe.f60000.1.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.cs High entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
Source: 7.2.Products Order.exe.f60000.1.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.cs High entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
Source: 7.2.Products Order.exe.f60000.1.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.cs High entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
Source: 7.2.Products Order.exe.f60000.1.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.cs High entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
Source: 7.2.Products Order.exe.f60000.1.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.cs High entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
Source: 7.2.Products Order.exe.f60000.1.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.cs High entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
Source: 7.0.Products Order.exe.f60000.0.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.cs High entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
Source: 7.0.Products Order.exe.f60000.0.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
Source: 7.0.Products Order.exe.f60000.0.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.cs High entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
Source: 7.0.Products Order.exe.f60000.0.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.cs High entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
Source: 7.0.Products Order.exe.f60000.0.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.cs High entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
Source: 7.0.Products Order.exe.f60000.0.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.cs High entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
Source: 7.0.Products Order.exe.f60000.0.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.cs High entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
Source: 7.0.Products Order.exe.f60000.0.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.cs High entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
Source: 7.0.Products Order.exe.f60000.0.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.cs High entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
Source: 7.0.Products Order.exe.f60000.0.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.cs High entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
Source: 7.0.Products Order.exe.f60000.0.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.cs High entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
Source: 7.0.Products Order.exe.f60000.0.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.cs High entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
Source: 7.0.Products Order.exe.f60000.0.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.cs High entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
Source: 7.0.Products Order.exe.f60000.0.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.cs High entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
Source: 7.0.Products Order.exe.f60000.0.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.cs High entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
Source: 7.0.Products Order.exe.f60000.0.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.cs High entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
Source: 7.0.Products Order.exe.f60000.0.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.cs High entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
Source: 7.0.Products Order.exe.f60000.0.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.cs High entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
Source: 7.0.Products Order.exe.f60000.0.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.cs High entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
Source: 7.0.Products Order.exe.f60000.0.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.cs High entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Products Order.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Products Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Products Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Products Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Products Order.exe Window / User API: threadDelayed 662 Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Window / User API: threadDelayed 9180 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Products Order.exe TID: 2964 Thread sleep time: -43380s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe TID: 4072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe TID: 6136 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe TID: 6032 Thread sleep count: 662 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe TID: 6032 Thread sleep count: 9180 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Products Order.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Products Order.exe Thread delayed: delay time: 43380 Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Products Order.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Products Order.exe Code function: 7_2_01540040 LdrInitializeThunk, 7_2_01540040
Enables debug privileges
Source: C:\Users\user\Desktop\Products Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Products Order.exe Memory written: C:\Users\user\Desktop\Products Order.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Products Order.exe Process created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exe Jump to behavior
Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Users\user\Desktop\Products Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Users\user\Desktop\Products Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Products Order.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Products Order.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Products Order.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Products Order.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Products Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458877 Sample: Products Order.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected AgentTesla 2->19 21 6 other signatures 2->21 6 Products Order.exe 3 2->6         started        process3 file4 13 C:\Users\user\...\Products Order.exe.log, ASCII 6->13 dropped 23 Injects a PE file into a foreign processes 6->23 10 Products Order.exe 2 6->10         started        signatures5 process6 signatures7 25 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->25 27 Tries to steal Mail credentials (via file access) 10->27 29 Tries to harvest and steal ftp login credentials 10->29 31 Tries to harvest and steal browser information (history, passwords, etc) 10->31
No contacted IP infos